The AppSec & DevSecOps Village - By Nova8 & Checkmarx

	BSides Kraków - 2024 When: Saturday, September 14th, 2024 Where: AGH University | Computer Science Department - Kawiory 21, Kraków (Wydział Informatyki, AGH, D-17) Cost: Free option available + Paid option available Details: https://bsideskrakow.pl/   Invite your friends by posting this on Twitter: "#BSidesKrakow on September 14th, 2024: Discover the next big thing!"   Sponsors   HOST & CO-ORGANIZER   BADGE   LEADING                       CONTRIBUTING       SUPPORTING         SUPPORTER             COLLABORATOR                                           Schedule   Talks Time Track 1 - Discovery - Floor 0 Track 2 - Insight - Floor 1 Track 3 - Frontier - Floor 0 08:00 AM - 08:45 AM Check-in (Reception) Reception of participants Bring your QR Code ticket on App! Check-in (Reception) Reception of participants Bring your QR Code ticket on App! Check-in (Reception) Reception of participants Bring your QR Code ticket on App! 08:45 AM - 09:00 AM Opening Cássio Pereira BSides Kraków 2024 & 2025 - - 09:00 AM - 09:55 AM Offensive Operations Against Foreign Adversaries: Russia Steve Borosh aka rvrsh3ll Steve Borosh started hacking the planet with Black Hills Information Security in 2021 and has been instructing offensive courses since 2015. Steve has instructed at conferences such as BlackHat and Wild West Hackin' Fest, for Fortune 500 companies, and for federal law enforcement. He currently annoys system administrators as part of the ANTISOC team at BHIS and enjoys releasing shock-and-awe research blogs and open-source tools to drive change in the industry. Learning from Open Source: A Developer-First Approach to Security. Fabian Kammel Everyone is all too familiar with the stereotypical sticky-note with a password attached to a monitor, but we see equivalent security risks in our jobs, everyday! From sharing production secrets through insecure channels, to disregarding TLS server certificate validation. These are symptoms of a larger issue - 'Security at the expense of usability comes at the expense of security'. In this talk we will delve into the heart of this issue and show why adopting a developer-first approach is paramount when designing a secure system. We will distill design best-practices, from prominent and successful opensource projects such as Let's Encrypt and Sigstore. We contrast these with real-world scenarios, observed during security assessments in the industry, and show how the same best-practices could have lead to a system with higher adoption and therefore better security posture. Participants will be equipped with actionable strategies suited for simple scripts as well as complex CI/CD systems. Chessboard of War: Breaching the perimeter on physical cyber security engagements Tayla Micael Sellschop This presentation is designed to illustrate to participants the functioning of physical assessments in real-world scenarios. It delves into the conceptual and practical methodologies employed by offensive security analysts in gaining entry to a building and utilizing that access for subsequent internal exploits. This presentation additionally provides insights on optimal strategies to safeguard against external threats and enhance employee awareness regarding the risks associated with insufficient physical security measures on their premises. Attendees will leave with three key insights. Firstly, an understanding of the psychology behind social engineering and its dynamics within different cultural contexts. Secondly, awareness of various tools, including Raspberry Pi's, keyloggers, and card cloners, commonly employed in engagements. Lastly, they will gain knowledge of best practices, highlighting how organizations can fortify their physical security and enhance awareness to protect themselves. 10:00 AM - 10:30 AM Keynote If you want to be a CISO, then check this first Brian Vlootman If you’re aspiring to be a CISO, do you really know what you are getting into? This talk will cover the reality of being a CISO and an honest reflection of what you need to be a great CISO. There are many ways to grow as a security professional and they most always don’t end with the CISO role. But a better understanding of what that role is about may help you to grow faster. - - 10:30 AM - 11:00 AM Keynote A Quick, Efficient Yet Not Entirely Sane Introduction to Deception John Strand Active Defenses have been capturing a large amount of attention in the media lately. There are those who thirst for vengeance and want to directly attack the attackers. There are those who believe that any sort of active response directed at an attacker is wrong. We believe the answer is somewhere in between. - - 10:00 AM - 10:55 AM - The Physical Security Blind Spot Brian Harris aka CAT Physical security in the forms of auditing security posture & black team engagements is an all to often overlooked part of security and arguably one of the most important. I have spent around 15 years performing physical security audits and black team engagements for governments, state entities and private corporations all over the world and I want to share some of the stories, concepts and security vulnerabilities involved with black teaming. From bugging corporate board rooms, stealing documents and generally getting into places that are suppose to be secure. No amount of cyber security will save you, if the attackers have physical access to your servers and hardware. Demystifying Confidential Computing: A Practical Introduction for Cloud Native Engineers Fabian Kammel Confidential computing stands at the forefront of modern security paradigms, offering unprecedented levels of data protection in cloud environments. As cloud-native architectures become increasingly prevalent, understanding and leveraging confidential virtual machines (CVMs) is paramount for engineers tasked with safeguarding sensitive data. This talk aims to demystify confidential computing and provide cloud-native engineers with a practical introduction to integrating confidential VMs into their cloud infrastructures. 11:00 AM - 11:55 AM Biometrics RMTC: Reality, Myths, Threats & Countermeasures Adrian Kapczyński aka Hpar3s In order to demystify the field of biometrics, this presentation, 'Biometrics RMTC: Reality, Myths, Threats & Countermeasures', will explore its reality, dispel common misunderstandings, look at potential risks, and talk about practical countermeasures. Participants will acquire a thorough grasp of the operation of biometric systems, as well as the advantages, disadvantages, and security issues they raise. CyberRisks in DevOps- staying ahead for cyber resilience & compliance Grzegorz Zagraba Losing IP and configurations stored in DevOps tools such as GitHub, GitLab, Bitbucket or Jira can paralyze the operation of the entire company. Get to know the biggest threats and learn how to eliminate them so as not to lose even a single line of your code and ensure resiliency and business continuity. We will discuss: Alarming Threat landscape statistics every CISO and DevOps should know True stories of the most severe GitHub, GitLab, and Atlassian 'fackups' (including ultimate review of most severe threats) Data Protection, Backup, Disaster Recovery and Security best practices	Social engineering and elicitation techniques of hacking a human being. Dorota Kozlowska Presentation of Social engineering theory, and techniques, going in-depth to learn about elicitation and building rapport with your potential victim. Examples of real-life attacks, and final thoughts on who could be a social engineer and how to defend yourself against one. The person listening to my talk will end it with tangible knowledge on social engineering and places to go if they want to learn more. Agenda:
12:00 AM - 13:00 PM	Lunch break - NOT INCLUDED	Lunch break - NOT INCLUDED	Lunch break - NOT INCLUDED
13:00 PM - 13:55 PM	Leveraging Features for Privilege Escalation in Ubuntu 24.04BD Elliot Ward In this session, we explore a unique approach to privilege escalation in Ubuntu 24.04 by leveraging system features rather than relying solely on traditional vulnerabilities. Our research began with an investigation into Ubuntu’s privilege boundaries, focusing on DBus and its interaction with the cups printing system. Through a series of methodical steps, we uncovered a way to escalate privileges from a standard user to root by chaining together minor bugs and existing features. Our journey highlights the importance of understanding system components and their interactions. By exploiting the configurations within the cups service and bypassing AppArmor restrictions, we achieved arbitrary command execution, ultimately gaining root access through the wpa_supplicant service. This talk emphasizes the significance of a holistic approach to security research, demonstrating how combining knowledge of system features can lead to successful exploitation. Attendees will gain insights into advanced privilege escalation techniques and the critical role of comprehensive system analysis in identifying security risks.	The not-ultimately-boring introduction to HIPAA compliance in web applications Pawel OlbrychtA real life approach to HIPAA compliance - explanation of what to do, what is not required and why compliance (in general) is so important	How to Break into Organizations with Style: Hacking Access Control Systems Julia Zduńczyk Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems. The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards.
14:00 PM - 14:55 PM	Get high as a Threat Actor - Rootkits and Kernel security Marcelo Toran Join us for an in-depth exploration into the clandestine tactics employed by Threat Actors to infiltrate systems at a Kernel level. In this session, we will examine various Kernel security features in Windows environments and show potential attack paths to bypass some of those. Beginning with a brief overview of the different Kernel security mechanisms, we'll dive into the intricacies of each feature and explore potential bypass techniques utilized by adversaries. Once the theoretical groundwork is established, we will introduce a streamlined methodology for identifying the right vulnerable drivers so you can easily replicate the same attack vectors during your Red Teams. In the culmination of our session, we will demonstrate the full chain of exploitation in a real environment, showcasing some of the powerful actions Threat Actors could perform when they are so high. We will finalize with some security recommendations to enhance your defenses against evolving cyber threats.	Leveraging Certificate Transparency Logs to Disrupt Scammers Kamil Nowak In our ongoing battle against cybercrime, a valuable ally has emerged: Certificate Transparency (CT) logs. These publicly accessible logs play a crucial role in combating phishing and fraud. This talk will delve into how we can actively leverage CT logs to identify and disrupt scammer operations. I will introduce my open-source tool designed for hunting down scammers and share how my colleagues and I managed to frustrate one particular scammer group for more than six months.	Improving security with Kubernetes Pedro Dallegrave The idea behind this presentation is to present the challenges of vulnerability management and security hardening for cloud environments that leverage instance-based deployments, such as AWS EC2, that host stateless services and are constantly being scaled in and out. This presentation is based on a real-life scenario in which the golden image approach is used in combination with a slight amount of automation to ensure patching is performed. It highlights the pushback received from developers who want to avoid live patching as well as business pressure that doesn't want to have engineers allocated to tasks that are not directly related to feature development. A technical description of the current setup will be presented along with a service diagram. The proposed solution then uses a containerized environment, in this case, Kubernetes, but any other orchestration solution, like Nomad, for example, can use it. Two use cases will be presented for the solution: one based on a Jenkins deployment, which is mainly a static instance, and the second a random service that scales from 1-2 instances to up to 20 to satisfy demand. The amount of configuration and effort required to maintain them will be compared with running the same setup in Kubernetes, and these changes can considerably reduce the effort required from engineering teams to maintain the services. Examples of the benefits that can be achieved are: - There is no need to manage operating system updates or patches for dozens of services that are embedded into the OS or added for convenience. - Simplification of build and deployment processes - Ability to ensure everything is up-to-date from build to operation phase - Stricter hardening of the whole environment by reducing the number of required packages, restricting access, removing services like SSH, etc. - Leveraging a centralized access control mechanism
15:00 PM - 15:55 PM	AI: The Good, The Bad, and The Certainly Unregulated -s Manfred Bjørlin AI's prevalence raises security concerns. Many can't explain AI models, making understanding their strengths, weaknesses, and biases crucial. Tools like ChatGPT transform work but pose risks. Cloud-based AI can breach data confidentiality. Monitoring is essential. ModelOps ensures compliance and ethics. Continuous testing prevents harmful attacks. Regulations like the EU AI Act will demand risk assessments. China has advanced AI regulations since 2017. AI TRiSM ensures reliability, security, and privacy, driving adoption and outcomes. Effective governance is key to managing threats.**What Will I Learn?**
AWS and SBOM - Better Together Pawel Piwosz SBOMs becomes not only more and more popular, but also more and more expected. We already have many tools and ways to generate these reports, but are the cloud providers think about is seriously? In this talk we dog deeper into AWS and check it out. We all already know what SBOM is, right?, So that is why this is mostly hands-on session and we will explore multiple serwices and multiple workloads to find out if AWS gives us the right tools.	Expanding Security Horizons: SIMD-Based Threats Andrii Mytroshyn The main goal of the talk is to give its participants a basic idea of attacks using GPU/SIMD, and provide an understanding why it is possible and why almost any system could be affected by such threads.
16:00 PM - 16:55 PM	Malware and Hunting for Persistence: how adversaries hacking your Windows? Zhassulan Zhussupov aka cocomelonc The story of how I discovered several non-standard and unusual methods for malware persistence using the registry modifications and DLL hijacking vulnerability: Windows Internet Explorer, Win32API Cryptography features, Windows Troubleshooting Feature and Process Hacker 2. Research in the field of hunting new persistence techniques for malware. Also a comparison of these methods with classical tricks and techniques that are used by various APT groups and Ransomware's authors.	AI in Action: Enhancing Security with LLMs Agents. Aliaksandr Rahavy & Mikayel Minasyan In this presentation, we will discuss an overview of LLM agents' capabilities for handling routine and diverse tasks in cybersecurity. We will also explore the challenges involved in the development of LLM agents, review the achieved results, and consider the future of LLM agents in the field of cybersecurity.	From Text to Flaws: vulnerabilities in applications with Generative AI and LLMs Paul Molin With the advent of ChatGPT and LLMs, a new world of possibilities has opened up in tech. The first use cases were quick to follow: new applications based on generative AI are being deployed in production every day. In this brand-new field, the race has begun between developers and security experts on the one hand, and attackers on the other. What are the risks of applications using LLMs? What practical means do developers have to protect themselves? This is what I'm going to talk about in this talk, explaining: - how LLMs and the applications that leverage them work - typical vulnerabilities in applications using generative AI (with juicy stories to back it up) - countermeasures developers can take to protect their applications

The Cyber Games Village by Black Hills InfoSec

Join us at BSides Krakow for some Cyber Games!

The Cyber Games Village will host multiple table-top RPG style security games, a Capture the Flag tournament, and Hacker Trivia!

The after party + Underground Meetup - With support from DevSecCon

Exclusive Trainings (2 days)

Topics we would like to hear about

Preference is given to talks that are up-to-date, innovative, provide solutions as well as insight to problems.

• (anti)Forensics and Incident Response
• Application Security / DevSecOps
• Biometrics / Identity and Access Management
• Cloud Security
• Compliance / Regulations / Standards / Risk Man
• Critical Infrastructure Security / Mission Critical Systems
• CyberSecurity
• Data Breaches for Stock Market Manipulation
• Database Security
• DDoS Extortion / Botnets / CEO Fraud / Compliance Extortion
• Ethical Hacking / Security Projects & Tools
• Firewalls / VPN / UTM
• Hardware Security
• Healthcare Security
• Internet of Things (IoT)
• Malware Analysis & Techniques
• Maritime Security
• Mobile Security
• National Security / CyberDefense
• Network Infrastructure
• Network Security / Monitoring
• Offense and Exploitation
• Open-source Intelligence (OSINT)
• Penetration Testing
• Physical Security
• Privacy & Issues
• Security Information and Event Management (SIEM)
• Security Management
• Transportation Hacking (Car, Bus, Airplanes, Ships, etc.)
• VoIP Security
• Vulnerability Scanners
• Web Application Security
• Wireless Security

Planners

• Cássio Pereira @cassiodeveloper

Volunteers

• Cássio Pereira @cassiodeveloper 
• Alex Sveleba @alexxisfero
• Markiyan Chaklosh @markiyanch
• Julio cesar Fort
• Fernando Cardoso

Task list

Ask invitation for our team -  contact (at) bsideskrakow dot pl

Tags for social media.

Please use the tag #BSidesKrakow for content related to this event.

Who's blogging?

• Cássio Pereira @cassiodeveloper