OWASP Czech Chapter Meeting

Dear OWASP fellows,

It’s our pleasure to inform you that the next local chapter meeting will be held on October 31st 2019 at Microsoft office, Vyskočilova 1561/ 4a, Building Delta, Praha 4.

This time we prepared for you again a day full of interesting speakers and workshops. The admission is as usual free of charge.

Schedule

Morning workshops (registration required)

8:00 - 12:00 Nicolas Grégoire: Practicing Burp Suite v2’s new features

9:00 - 12:00 Kamil Vavra & Martin Bajanik: OWASP Top 10 workshop

9:00 - 12:00 Petr Kolář & Michal Čábela: Cyber Arena

Afternoon workshops (no registration)

13:00 - 17:00 Tuna CTF team: Security & Lockpicking CTF

13:00 - 18:00 Petr Kolář & Michal Čábela: Cyber Arena Simplified (on demand)

Talks

12:00 - 12:15 Opening ceremony with OWASP chapter leaders

12:15 - 13:00 PIZZA TIME!

13:00 - 14:15 Mario Heiderich: An Infosec Timeline - Noteworthy Events from 1970 to 2050

14:15 - 14:30 break

14:30 - 14:50 Kamila Babayeva & Sebastian Garcia: Fantastic Attacks and How Kalipso can find them

14:50 - 15:15 Sebastian Garcia & Ondřej Lukáš & Kalin Ivanov: Ludus project - Make honeypots great again!

15:15 - 15:45 break

15:45 - 16:30 Michele Orrù: Puppeteer for Evil Minds

16:30 - 16:45 break

16:45 - 17:25 Simona Musilova: When A Password Is Not Enough - Developing A New Way Of Protecting Smart Homes

17:25 - 17:45 break

17:45 - 18:30 Martin Klubal: ATM Hacking Bluntly

Information about the trainers and workshops

Practicing Burp Suite v2’s new features

Nicolas Grégoire

Having more than 15 years of experience in (mostly Web) penetration testing, Nicolas Grégoire is also an official Burp Suite Pro trainer since 2015. His security research was presented at numerous conferences around the world and he was publicly thanked by numerous vendors for responsibly disclosing vulnerabilities in their products and services, directly or through bug bounty programs. His publications are available at https://www.agarri.fr/en/publications.html

Workshop outline:

We plan to provide trainees with a practical understanding of all the new shining features of Burp Suite v2 (cf https://portswigger.net/blog/burp-suite-2-0-beta-now-available for a partial list), with the ability to easily apply this knowledge to future real-life situations. That of course covers the new “Dashboard” tab and its configuration library, but also WebSockets (from now on supported in Repeater), the oriented graphs generated by the revamped crawler, and much more! Additionally, a few highly useful scenarios (like brute-forcing a CSRF-protected form without using macros) and extensions (Logger++, Hackvertor, Turbo Intruder, ...) will be presented.

Everything is “hands-on”, as attendees will practice on the labs I use during my usual 3-day Burp Suite Pro training sessions.

Requirements:

Attendees must be comfortable with the Burp Suite GUI (either v1 or v2, Community or Pro). A supported 64-bit OS (Linux, Windows or Mac), with WiFi connectivity, is required. Burp Suite Pro v2 itself (and the corresponding JRE) will be installed during the workshop.

OWASP Top 10 workshop

Kamil Vavra - AppSec @ Kiwi.com, Moderator of reddit.com/r/bugbounty, Interested in ethical hacking and privacy

Martin Bajanik - AppSec @ Kiwi.com, OSCP

Workshop outline:

A hands-on practical workshop for beginners interested in offensive web security. Kiwi.com’s AppSec team will show you how to effectively hunt for vulnerabilities. No previous experience or deep knowledge about web security is required and you can immediately apply the learned knowledge on the real-world targets.

Participants will learn the basics of Burp Suite usage and how to find and successfully exploit OWASP Top 10 vulnerabilities using OWASP Juice Shop.

Requirements:

○ You should know how does HTTP request and response looks like○ Know the difference between GET and POST request○ Have a basic understanding of TLS (https)○ No programming skills required

Equipment for attendees:

○ Laptop + charger (Burp can be hungry)○ Browser (ideally Firefox)○ (recommended) Burp Suite pre-installed

Nice to have:

○ Linux or macOS○ Docker

Cyber Arena

Petr Kolář

Petr Kolář působí ve společnosti PwC, v týmu zabívající se kybernetickou bezpečností, 4 roky. Po tuto dobu se věnuje zejména vývoji Cyber Arény a její globální distribuci, dále Cyber Security Awareness tréninkům vč. phishingových kampaní a v neposlední řadě také projektům v oblasti bezpečnostní architektury. Okrajovou část jeho profesního portfolia tvoří různé auditní projekty (ISO 27k).

Michal Čábela

Michal Čábela působí v PwC již 9 let a právě on je otcem myšlenky vytvořit Cyber Arenu. Kromě toho se věnuje širokému množství projektů v oblasti kybernetické bezpečnosti se specializací na technickou část kybernetické bezpečnosti. Nyní se intenzivně věnuje oblasti OT bezpečnosti, kdy své zkušenosti uplaťnuje na projektech po celém světě.

Workshop outline:

Forget boring cybersecurity trainings and endless presentations. With Cyber Arena, you will gain practical experience. A unique simulation of risk assurance and defence strategy will offer a clearer understanding to the members of your management and technical team. You will learn to act fast when in a crisis and to efficiently build a modern and safe company.

Along with other colleagues (IT Security, IT Operations and Top Management roles), you will experience what it is like to defend your company against cyber attacks.

Security & Lockpicking Workshop (CTF)

Tuna CTF team

• Filip Holec - Leader of educational Ethical Hacking, Linux or Python workshops and Co-Founder of https://engeto.cz

• Martin Zember - 11 years of experience in pentesting, Founder of https://zembered.com

• Petr Skyva - Cyber-Security student @ FI MUNI, Cloud Architect @ Cleverlance

• Jan Masarik - AppSec @ Kiwi.com, OSCP, Noob bug bounty hunter

Workshop outline

Interested in learning the basics of hacking or lock-picking? We’ve prepared a CTF with vulnerable machines (up-to-date and made from grounds up by us), combined with lockpicking challenges. For the best, there will be a bottle of Bozkov and a ticket for a secret after-party!

Note: You are not required to be present in the CTF room to attend (lockpicking challenges are restricted to the room).

Who is this for?

It is for everyone interested in security and lockpicking, from newbies up to seasoned pentesters (there will be a hardcore challenge). If you know what port is and how does a HTTP request look like, you should come! If you are a beginner, we recommend attending the OWASP Top 10 workshop before, that will give you a necessary introduction so you won’t get overwhelmed.

Requirements:

○ Laptop with Burp or OWASP ZAP○ No lockpicking equipment required (but encouraged)

Cyber Arena Simplified (on demand)

Petr Kolář^ & Michal Čábela^

Workshop outline:

Don't you want to register in advance? No problem. Come to our stand to try variant 1 on 1, when we will attack your company and you will have to defend. Or would you like the opposite? As long as you're the best, the reward won't miss you.

Information about the speakers and talks

Mario Heiderich

Dr.-Ing. Mario Heiderich, aging but still somewhat handsome heart-breaker, ex-security researcher and now a more or less overpaid secretary is from Berlin, still likes everything between lesser- and greater-than, also fine-food and wine-parings and leads a small yet exquisite pen-test company. He frequently pesters peaceful attendees on various conferences with PowerPoint-slides and a very immature sense of humor. Since he doesn't do any research any longer, he really has no actual talk material left, hence finds himself pushed into the shadiest of corners, the keynote corner. People often laugh during his presentations and he assumes it's about his jokes. He could not be more wrong with his assessment.

An Infosec Timeline - Noteworthy Events from 1970 to 2050

Let's just lean back and look at our wonderful field from a rather wide-angle and see what happened between 1970 and right now. But let's not stop there and also look into the future and see where we will end up in 2050. Our speaker will use his prophetic skills and connections to the spiritual world and provide an outlook on major infosec milestones yet to come. It will be GREAT.

Sebastian Garcia

Sebastian (sebastian.garcia@agents.fel.cvut.cz, @eldracote) is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He founded the Stratosphere Lab, home of the first machine learning-based, free software IPS. The Stratosphere Lab has ~15 researchers working in security topics and executing malware to create large datasets. He likes to analyze network patterns and attacks with machine learning. As a researcher in the Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in several conferences such as Ekoparty, DeepSec, Hackitivy, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCon, Free Software Foundation Europe, VirusBulletin, BSides Vienna, HITB Singapore, CACIC, AAMAS, etc. He co-founded the MatesLab hackspace in Argentina and also co-founded the Independent Fund for Woman in Tech. He researches on honeypots, malware traffic detection, social networks troll detection, distributed scanning (dnmap) keystroke dynamics, bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.

& Kamila Babayeva

Kamila (babaykam@fel.cvut.cz, @_kamifai_) is a bachelor student from Kazakhstan, currently studying at the Czech Technical University in Prague. She is highly interested in understanding and analyzing malware. She currently works as a junior Malware Reverser at Civilsphere, a project dedicated to protect civil organizations and individuals from targeted attacks. She spends her free time learning and programming in Javascript and Python. She has spoken in the past at OWASP CZ Chapter conference in 2019. 

Fantastic Attacks and How Kalipso can find Them

Detecting attacks in a network is very hard due to the huge amount of information, and the similarity between attacks and normal traffic. Knowing the traffic of your computer is hard enough, more so in a large network. An analyst has to decide and block infected computers without being aware of all the details. A company may afford a large detection system based on big data, but what about you? 

Slips is a network intrusion detection system that uses flows, behaviors, and machine learning to detect attacks in a network. Based on Zeek and with a modular structure it is easy to extend the system with new models of your design, leaving the final decision to an internal ensembling algorithm. From flow-based port scan detection to anomaly detection, threat intelligence, VirusTotal integration, geolocation and machine learning profiling, slips includes modules that can give a comprehensive high-level view of your security. However, it is very hard to show this information clearly and to include the analyst in the process. Enter Kalipso.

Kalipso is a nodejs-based terminal interface designed to display the complexity of the information produced by Slips. This interface helps traffic analysts to quickly get a superficial understanding of what is going on in the network. With animated graphs and charts based on the blessed and the blessed-contrib libraries, it is possible to configure and connect data from Slips meaningfully. After slips filled the redis database, Kalipso is ready to display the information. It creates a tree with all IP addresses in the traffic, separating the data in time windows. For every IP and time window, it shows a timeline, detections, and a map with the geolocation of all the destination IPs contacted. Each IP address is modeled using stacked bars and tables based on the destination ports contacted, destination IPs contacted, source ports used, and ports opened as a server. Different windows are accessed with hotkeys, and important information is highlighted with several font types and colors. Distinctive outgoing connections are displayed together with their VirusTotal information and behavioral model. Complete with the ability to copy information to the clipboard or save it into a file, Kalipso allows the analyst to rapidly overview what is happening in a network.

Sebastian Garcia^

& Ondřej Lukáš

Ondřej Lukáš is a master student at the Faculty of Electrical Engineering at Czech Technical University. Additionally, he works as a researcher in the Stratosphere Laboratory in AI Center of FEE in the LUDUS project, focusing on the application of game theory in honeypot deployment. In his free time, he enjoys traveling and sports.

& Kalin Ivanov

Kalin Ivanov is a bachelor student at the Faculty of Electrical Engineering at CTU and also works at Stratosphere Lab on the Ludus project. His interests are on the border between hardware an software in the areas of cybersecurity, robotics and artificial intelligence. When possible He likes to travel and explore new places.

We Know Where You Are: How Most Mobile Applications Jeopardize Your Security

The rising number of attacks against home network routers brings up the importance of securing these devices better. However, the range of available means of defense for home routers is limited. Additional constraints, such as performance of the devices has to be considered when designing a defense strategy. In our talk we will present project Ludus, which is the result of almost 3 years of research in collaboration with CZ.NIC. It brings the idea of collaborative defense for a large groups of users. That means users can join forces to defend against attackers, and help each other to better secure their devices.

The primary tool that we use for defense is a honeypot: a trap which is designed to stop or stall the attacker while extracting information about the intruder and the course of the attack. There are dozens of types of honeypots, but bearing in mind the technical limitations of the devices, users have to choose where to deploy them. Even though the concept of honeypot dates back more than 20 years, nowadays the development of the technology seems to be somehow stalling. The proposed method is a new approach to honeypot deployment and will be explained in detail in the talk. 

Attacks against home routers can be modeled as a two-player game. A Game-Theoretical approach provides us with a means of using this model for generating optimal strategies where to deploy the honeypots. 

In this talk we will show our open-source tool Ludus, which utilizes those concepts and is a fully automated honeypot manager for Turris routers and other OpenWRT devices. Moreover, we will discuss the problem of external measurement of the defense strategy efficiency. For that, we propose a combination of security metrics as well as an overall measure of the security. This is intended to give the users and analysts a numerical value on the state of security enabling them to act on this information and further adjust the defense mechanisms. By comparing the metrics through time users can see whether their security is improving or not, as well as comparing their own security to the overall aggregated security of all routers. To form the metrics aggregated anonymized data from individual devices are collected and analysed using Elastic Stack. These visualizations are available for the entire community for further research.

Michele Orrù

Antisnatchor is a security consultant with over ten years of experience in penetration testing, source code auditing and development. During the last five years his focus has been on phishing and client-side exploitation:– Co-author of **The Browser Hacker’s Handbook**– Co-author of the **X41 Browser Security Whitepaper**– Ex-core developer of the **Browser Exploitation Framework Project(BeEF)** and **Muraena** phishing toolkit– Golang enthusiast– Co-organizer of WarCon, a private offensive-security conference in Poland – Speaker at KiwiCon, RuxCon, OffensiveCon, ZeroNights, OWASP, BlackHat Arsenal, HackPra AllStars and other security conferences about browser security and phishing.

Puppeteer for Evil Minds

The browser automation capabilities of Puppeteer go beyond what you can imagine. Functional testing is not the only way you can (ab)use this great library! It is great for reconnaissance and OSINT, to scrape info from web portals about your targets, or drive recon fake profiles to continuously harvest data. It can help in web security testing when you need a real browser to work with for JavaScript or other reasons, or automate complex workflows and then inject your attack vectors. It is great for post-phishing automation, once you capture your victims sessions, to hijack portals they have access to while you wait for your coffe to come out from the moka.

In this talk we will explore all these three scenarios showing examples on commonly used portals.If you don't know what Puppeteer is, we got you covered!

Simona Musilova

Simona is a master student of cybersecurity at the Faculty of Electrical Engineering at Czech Technical University in Prague. After years spent in software development, she joined the Stratosphere lab. She is currently a member of the Aposemat project, a joint project between Stratosphere lab and Avast Software to study IoT security. Her research focuses on managing all the IoT devices as honeypots, deep analysis of captured traffic of IoT honeypots, and studying the security mechanisms of the devices. One of the areas of her expertise is to deeply understand the Telnet protocol for user profiling.

When A Password Is Not Enough Developing A New Way Of Protecting Smart Homes

Everyone’s home is getting smarter and smarter. But using smart voice assistants, smart light bulbs, and other smart devices can put you and your home network at risk. One of the most significant issues in this field is that IoT devices use insecure passwords. You may change it, but is it enough? What if somebody steals your credentials? Will you know? We agree with the theory that enforcing authorisation by only using credentials is not enough to stop an attacker.

This talk presents our research focused on the Telnet protocol, which is highly used nowadays in IoT devices for remote administration. We propose a new method to detect unauthorised access by an attacker by analysing the network traffic. Our method is based on the differences between the behavioural patterns of the real administrator of the device and attackers. Thanks to the simplicity of the Telnet protocol and the fact it is unencrypted, we can extract good features for the detection of any unauthorised access. Our method is based on extracting commands and parameters sent by the user, pressed keys, reaction times and other characteristics of typing.

Our goal is not only to detect unauthorised access to the administrator account but also to profile the attacker. Based on behavioural patterns, we can identify if your IoT device is attacked by a human or if you are under an attack of some malware - known or unknown.

Martin Klubal

Martin Klubal is a senior IT Specialist actively involving in the ethical hacking about more than 15 years. He worked for well-known Czech companies as well as for the international institutions. He is focused on practical knowledge and custom research in several areas like pentesting, social engineering, darknet, and red teaming. Currently, he is gaining experience in the Russian Federation.

ATM Hacking Bluntly

How difficult is to break into an ATM? Bank security is overrated in general. Let`s tear down these myths and disclose an exciting journey to jackpotting. A talk full of boring theory without any details is not the goal of this presentation. Contrariwise, a juicy real case scenario with examples, PoC, and many graphics not only from the lab but also from the wild. Do you want to know ATM from inside without any censorship? Come, no video recording of this talk will be published.

Additional information

• If using public transportation you can either go to the metro station Budějovická and walk 5 minutes. There is also a bus stop Vyskočilova nearby, one stop away from the metro. For cars there are plenty of paid parking lots in the surrouding area.

• Unless stated otherwise, talks will be in English and the recordings will be available online ( with speakers' permission) after the convention

• For the workshops, please come at least 10 minutes ahead of time, otherwise it can happen that your seat is taken by somebody on the waiting list.

• There will be some snacks and soft drinks prepared for you during the event. Also, there is a small cafe next to the conference hall where you can purchase hot drinks.

• The venue is on the ground floor of the office building. There will be signs showing you way to the conference hall and the lecture room for workshops.