Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management including a decade dealing with critical infrastructure. Lewis is an Advisory CISO – Global for Duo Security. He is the founder of the security site Liquidmatrix Security Digest and cohost of the Liquidmatrix podcast. Lewis serves on the advisory boards for Cortex Insight and Dateva Inc. Lewis writes columns for Forbes, Daily Swig, CSO Online & Dark Reading.

Talk Title: Security and the Eternal Return

Abstract: Security as a practice can often feel like a perpetual hamster wheel of pain. The 19th century German philosopher Friedrich Nietzsche gave us his doctrine of the “eternal return”. This was the concept that everything in the universe is recurring and will continue to do so in perpetuity. But, what if we could step off that return? While Nietzsche was dealing with the meaning of existence, we can apply this to information security. We continue to witness recurring failures in the guise of data breaches and the like yet, we seem to accept them as the fabric of reality. Every data breach os static passwords that graces the headlines further compounds the point. We need to take the flat circle of time and put it on it’s edge and learn from our failures in such a way to leverage them and embrace them to change the narrative

Pukhraj Singh is a cyber intelligence analyst with 14 years of experience. He played an instrumental role in the setting up of the cyber defence operations centre of the Indian Government. Pukhraj was laterally inducted into the Government from the private sector after the 26/11 terror attacks. It was a multi-disciplinary tenure ranging from geopolitical doctrine formulation – eventually approved by the Prime Minister – to the very brass-tacks of cyber operations. Later, he spent some time at Aadhaar, India’s flagship biometric ID project as its first cybersecurity manager. Pukhraj also had very brief stints in the private sector, working with Symantec’s DeepSight – industry’s first threat intelligence team – and innovative American, Canadian, and Israeli firms. He has spoken at a variety of national security fora and hacking conferences. Pukhraj’s writings have appeared in leading Indian journals and newspapers.

Talk Title: Politics & Power in Cybersecurity

Abstract: This talk will be an extrapolation of Thomas Dullien’s observation: All offensive problems are technical but all defensive problems are political. In the daily firefight against vulnerabilities, it’s easy to forget how the structural dominance of cyber offence has made sure that many of the defensive problems would remain intractable and unsolvable in the coming decade. To further Dullien’s case, I spent a year researching how political power manifests in cyber offence and defence — thus coming to the acute realisation that cybersecurity is purely a function of power and power alone. Dan Geer, too, sees it that way — and more specifically as a component of realpolitik. The world is already marching from declaratory to escalatory dominance in cyber operations whereas we, in India, still haven’t come up with reasonable doctrinal discourse. The presentation aims to give an introductory glimpse of it.

Rahul (c0dist) currently works as Principal Threat Researcher in a threat intelligence firm, with keen interest in information security, automation, human behaviour and everything else related to computers. He has specialisation in Python/Bash automation for various tasks such as pentesting, IOCs/OSINT collection, honeypots deployment, web scraping, threat intelligence collection and APIs integration. Rahul has previously interned with The Honeynet Project under the Google’s Summer of Code program. He has co-authored / contributed to multiple open-source security projects like SHIVA spam honeypot, Detux Linux sandbox, Android Tamer, HoneySpot, etc.Last year, Rahul presented in c0c0n X conference on the topic of “How to setup honeypots that work”. In his free time, Rahul like to play CTF (Top 30 finalist in Nullcon’s HackIM CTF) and find flaws in things (CVE-2016-8856 Foxit Reader LPE).

Talk Title: Active Defense using Honeypots

Abstract: People have been using Honeypots to understand the adversary techniques from long time. However, recently the popularity has gone down due to the baggage that comes with deploying the honeypots. Setting up a honeypot might be easy, but consuming the data and maintaining it is a difficult job. There are various aspects to creating a good honeypot network (Honeynet) and leveraging it to provide actionable intelligence. In this workshop, our end goal is providing the responders with actionable information that could help them one-up their defence game. We plan to cover how attendees can setup multiple honeypot sensors and manage them. We will then discuss various pitfalls and issues that people face while deploying and using honeypots. Once we have presented solutions for these problems, we will move on to how to consume this data. We will also cover the Elasticsearch-Logstash-Kibana (ELK) stack to index, parse and consume the information. We believe at the end of the workshop, the attendees will be better equiped with the knowledge to setup robust honeypot networks (honeynets) and use them for active defence. Prerequisites: Attendees should bring a Windows/Linux/Mac laptop with admin rights, virtualisation capability and WiFi capabilities for downloading required software and libraries.

Inquisitive by nature, I tend to drift towards things that are seemingly difficult, yet, interesting. I have interest in a variety of areas including (but not limited to) blogging, playing guitar, painting/sketching, playing chess, indulging in adventure sports and, messing with the bits and the bytes. I turned my passion towards application security into a full time job in May 2018. I have a total 9 years of industry experience. Currently I am working as Application Security Engineer at Appsecco.

Talk Title: Attacking Web Applications with Burp Suite

Abstract: In this completely hands-on workshop, you would get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you would be using Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you would also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 – 2017 list. We would provide you with a vulnerable website, and you would uncover security issues in it even if you have never done this before!

Vandana Verma is a Security Architect with over 12 years of experience specializing in web application, infrastructure and cloud security. She is part of security communities such as Volunteer Coordinator – Asia Pacific for OWASP Women in Appsec (WIA) & OWASP WIA Secretary, OWASP Chapter Leader and Heading InfoSecGirls. She has given talks and workshops at many colleges and security conferences including AppSec Europe, AppSec USA, NullCon and c0c0n.

Talk Title: Attacking Web Applications with Burp Suite

Abstract: In this completely hands-on workshop, you would get to understand the techniques and methodologies that could be applied when performing a web application penetration testing. Throughout this workshop, you would be using Burp Suite tool, which is a conglomerate of distinct tools with powerful features. Apart from gaining familiarity with the tools and the techniques involved in application security testing, you would also get an opportunity to understand some of the common vulnerabilities from the OWASP Top 10 – 2017 list. We would provide you with a vulnerable website, and you would uncover security issues in it even if you have never done this before!

An Information security enthusiast, forensicator, incident responder and trainer, contributing to open security community null India (delivered numerous trainings at null on IR & Memory forensics). Involved in Digital forensic investigations and consulting services to help various government organizations & corporate bodies in forensic audits, data leakage investigations, incident response and e-discovery cases, also performed Vulnerability Assessment, Penetration Testing, ISMS implementations, Network and database audits as part of previous engagements. Currently into monitoring and incident response for a giant retailer to deal with modern threat landscape

Talk Title: Hunting Malware in Memory

Abstract: Intelligence driven incident response requires memory dump analysis of infected systems to further investigate and understand the TTPs (Tactics, Techniques & Procedures), capabilities and characteristics of malware. As the modern adversaries are much sophisticated, targeted and advanced to deal with, incident responders must possess memory forensics skills to understand, identify and analyse intrusions at early stage. This training helps you to understand the topics of memory forensics and rootkit investigative techniques of real world malware samples using open source memory forensics frameworks (volatility). The hands-on lab walks you through the analysis of various real world samples and infected memory images (Rootkits like black energy, ransomwares like wannacry etc.) The intended audience could be SOC analysts, Malware analysts, Incident handlers and law enforcement agencies etc.

Abhinav has around 7+ years of experience in Information Security, penetration testing and hacking. You might have seen him giving training in several information security conferences and meetups. Some of the recent training are co-trainer in BlackHat USA 2018, BsidesDelhi 2017. Abhinav is the founder and head of security operations at ENCIPHERS. He is also one of the Research Advisory Board member for Cobalt Core, where he also leads the penetration tests. One of the Synack Research team member, have won several accolades, bug-bounties and Hall of Fame. As much as he loves hacking, he loves giving training too. You can find him on twitter @0ctac0der.

Talk Title: Discerning High Impact Mobile Apps Vulnerabilities

Abstract: When it comes to mobile applications, the amount of user data they handle is increasing enormously and the trend shows that mobile apps will keep on increasing and improving. But does the security of mobile apps also increase at the same rate? In this workshop, we will look at some of the high impact security vulnerabilities in android and iOS application. The workshop will focus on teaching how to test a mobile for some of the high impact security vulnerabilities and how to fix them. The workshop will move around some of the mobile vulnerability case studies, why they exist, how to test for such issues and how to fix them.Interested in learning about some bad-ass mobile app vulnerabilities? Want to learn how to safeguard your apps against those vulnerabilities? Join us in this workshop.

Kaizhe Huang is Senior Security Engineer at StackRox, where he builds security platform to detect runtime threats to containers/orchestrators. Previously, as Senior Security Engineer at Oracle Database Security Group, he helped building security products including: Database Vault, Database Privilege Analyzer and Database Assessment Tool. Kaizhe holds M.S. degrees in Information Security from Carnegie Mellon University.

Talk Title: SITH Happens: Attack of Malicious WASMs

Abstract: JavaScript is most popular language of the web. It is one of the fastest dynamic languages around, even though it is fast it still cannot compete with raw C/C++. WebAssembly an evolution of asm.js, is a low level, portable binary format that aims to speed up apps on the order of 20x compared to javascript. In this talk you’ll learn about how WebAssembly works. We look into the dark side of WebAssembly, use of WebAssembly for malicious activities starting with basic tech-scams and key loggers to sophisticated key-loggers. We will look at some malicious and vulnerable WebAssembly modules and highlight some gotchas while writing WASM modules. We hope that you get a good grasp of the WebAssembly threat model and learn what to look for while analyzing WebAssembly modules.

Lavakumar Kuppan is the founder of Ironwasp Security where he builds cutting edge vulnerability detection tools based on Smart-box testing technology. He has developed several security tools, including an open source web application security scanner. Through his research in the web security space he has discovered several new attack techniques on popular software. He has presented his security research in several international conferences including BlackHat. He holds the distinction of being one the few people who have developed DAST, SAST and IAST software.

Talk Title: DomGoat – the DOM Security Playground

Abstract: In a Mobile application pentest the tester focuses on identifying vulnerabilities on both the mobile app and the backend service the app talks to. However, in a web application pentest the client-side is usually ignored and the focus is placed entirely on security issues on the server-side. Modern browsers have several capabilities which make the JS code running in the browser almost as complex powerful as a mobile app and by extension also prone to serious security issues. Most pentesters remain unaware of these security issues and their severity. DOMGoat is an open source application that is developed primarily to help pentesters understand the various client-side security issues that can occur in the DOM. This includes everything from the several variants of DOM XSS to JavaScript cryptography to client-side data leakage and more. This talk will explain the various security issues that affect the DOM and also show how DOMGoat can be used to learn about these issues.

Neelu is working as Principal Consultant with NotSoSecure. Her current area of work includes Vulnerability Assessments and Penetration Tests of Web Applications & Network along-with red team engagements. Her array of experience includes Source Code Reviews, Threat Modelling of web applications, Data Leakage Investigations, Configuration reviews, Social Engineering engagements, etc. Some of her areas of interest in information security are building and execution of various threat cases, bending business logic, phishing, social engineering scenarios, building exploits, WiFi Cracking, etc.. She loves to use her analytical skills to participate in various research activities and innovation.

Talk Title: Pentesting GraphQL

Abstract: The talk will be focused on pentesting techniques for applications using GraphQL. As applications become data intensive, GraphQL will be the frontrunner when it comes to web and mobile applications and is getting rapidly adopted for new and existing API infrastructure. GraphQL guidelines can be implemented in a variety of ways and hence vulnerabilities are configuration specific and custom to the implementation at hand. The talk will discuss both traditional web application and non-traditional core GQL specific vulnerabilities and demonstrate the same for pentesting such implementations in a holistic manner.

Subash is an avid security enthusiast and a passionate developer, he enjoys developing meaningful solutions to real world security problems. He is currently working on solving security problems at cloud scale and exploring solutions to improve intelligent automation using AI. During his free time, he loves to explore and research on new and upcoming technologies. Introduced to the world of security by null Open Security Community, he is on track to actively contributing back by presenting at various meetups and conferences and has given talks at null Bangalore and the Serverless Summit. He has also contributed to open source security tools such as OWASP Threat Dragon and DVNA.

Talk Title: Self-host like it’s 2018 and reclaim your privacy

Abstract: Centralized services have taken far too much control from the users in exchange for convenience. Self hosting for the sake of privacy has become a daring ordeal only few even consider. The objective for the talk is to show how one can stick to open source software and self-host a robust and secure infrastructure that provides the same level of convenience we’ve been used to. I’ll be showing how I’ve setup my server to run various services and manage them in a secure and fault tolerant way. One can use a typical medium to high end PC with any reliable internet connection(s) to run your own reliable data center using the approach and guides

Siddharth is a third year UG student from Amrita University, Amritapuri, India. He is currently an active member of team bi0s. According to Ctftime.org, Team bi0s – the CTF team affiliated with Amrita University, is currently ranked number one in India. His primary focus is in the area of Reverse Engineering and Binary Exploitation. He is also a Google Summer of Code’ 18 scholar with the NetBSD foundation.

Talk Title: Finding memory bugs with the Address Sanitizer

Abstract: This talk explains why Sanitizers are important and how they can be used to help increase the efficiency of mainstream fuzzing. I will be delving into detail about how they work with relevant information about instrumentation and mapping. We will be looking at how the kernel implementation of the Address Sanitizer with a focus on the implementation in NetBSD. In the end of the talk I will be discussing some small examples of userland and kernel land bugs we can detect with the Address Sanitizer and I will use the opportunity to compare the Address Sanitizer with other tools out there.

Dhiraj Mishra is an active speaker and a bug hunter, discovered multiple zero days in modern web browsers, Metasploit Contributor. His work has been published on TheHackerNews, TheRegister & BleepingComputer. He works as Security Consultant with NotSoSecure.

Talk Title: Call of Duty:Modern Browser Warfare

Abstract: The talk I will be presenting is entirely my own work of research. While identifying vulnerabilities in web applications and participate in various bug bounty programs is interesting, I enjoy targeting platforms which are less popular as research topics. Having said that, while security for browsers is a known topic, I’ve been able to identify, through my research, several vulnerabilities which will help to secure it further. The issues I will be talking about are completely new within three specific domains – SOP, RCE and Address Bar Spoofing (ABS). These vulnerabilities, along with the attack scenarios are something which I’ve created through my research. I’ve also created from scratch, an exploit code which can be used across several browsers for the same vulnerability. I will be showcasing multiple Metasploit module and a tool BFuzz which where created during my research.

Sudhakar currents works in RE/Exploit Development at Payatu Technologies. He can be found cycling or playing CTFs on the weekend.

Talk Title: Garbage Collection Internals of Jscript and CVE-2018-8389

Abstract: JScript is the original Microsoft ECMAScript standard introduced in IE3. It was the primary runtime engine upto IE8. Although IE9 and up discarded JScript in favour of Chakra, it can still be loaded with a compatibility mode. JScript is used not just for JS runtime in IE but also for some other windows features including scripting and Windows Automatic Proxy Discovery(WPAD). WPAD configuration files are executed as JScript code in a SYSTEM context to resolve proxy addresses. Finding a vulnerability not only gives a good execution primitive but also privilege escalation. JScript is quite simple with no JIT and a simple Garbage Collector. Recently we have seen vulnerabilities involving heap management and garbage collection. My talk will go into details of internals of jscript.dll – Object/code management, garbage collection algorithm and heuristics. I’ll also show an old CVE with the internals.

Engineer at Qualcomm. I work on optimising inference for machine learning algorithms. My interest areas including binary exploitation, reverse engineering and programming.

Talk Title: Headshot: Game Hacking on macOS

Abstract: Game hacking is a major contributor to the hacking economy. People shell out a lot of money for hacks which help them cheat at multiplayer games. These hacks can range from enhancing in-game abilities for gaining an upper hand in the game, to bypassing in-app purchases. With the advent of anti-cheat such as VAC (Valve Anti Cheat), the techniques employed by hackers to cheat at games have become increasingly refined. These techniques are comparable to those utilised in sophisticated malware and rootkits. These techniques include runtime process injection, function interposition, and proxying network traffic to name a few. To avoid detection, hackers even resort to custom kernel drivers to interact with the game process. This talk will detail a few of the techniques utilised by game hackers and malware developers alike, through the hacking of an open-source game. I will showcase some hacks for an open-source FPS game by describing the method in detail for the macOS platform. While the demo will be macOS specific, the approach applies to all modern operating systems.

Prithvinder is an avid technology enthusiast who has worked in IT security for the over 8 years with expertise in Mobile/Web/Network security. He is currently working with Microsoft India as a part of Supply Chain Security team and also responsible in providing Security Consulting to our customers. Prior to Microsoft he has worked as Security Analyst for some of the leading companies in the industry.

Talk Title: Securing the Supply Chain with Risk-Based Framework

Abstract: Everyone knows, 3rd party softwares bring lot of risk to an organization. However does traditional vetting of supplier solutions work? Will it really reduce the risk? can we perform effective assessments? Is it scalable? Can we do continuous monitoring? In this session we will talk about what are the risks currently associated with the 3rd Party Softwares and how to surface them for effective risk reduction. This session will focus on securing supply chain using risk based 3rd party framework which encompasses integration of multiple security checkpoints at various stages of solution lifecycle

Prashanth Sulegaon is a Seasoned Information Security Professional with 12+ years of experience.Expertise in SDL Methodologies and Process, Risk based Assessment, Secure Design Review, Penetration Testing, Vulnerability Assessment, Fortify Static code Analysis tool deployment, Conducting training for developers on developing secure applications, Conceptualizing & devising security assessment framework for 3rd party software

Talk Title: Securing the Supply Chain with Risk-Based Framework

Abstract: Everyone knows, 3rd party softwares bring lot of risk to an organization. However does traditional vetting of supplier solutions work? Will it really reduce the risk? can we perform effective assessments? Is it scalable? Can we do continuous monitoring? In this session we will talk about what are the risks currently associated with the 3rd Party Softwares and how to surface them for effective risk reduction. This session will focus on securing supply chain using risk based 3rd party framework which encompasses integration of multiple security checkpoints at various stages of solution lifecycle