About : Arun is a Founder and Director of Amynasec Labs which specializes in Vehicle/ IoT/ ICS Security. He is a Hardware, IoT and ICS Security Researcher. His areas of interest are Hardware Security, SCADA, Automotive Security, Fault Injection, RF protocols and Firmware Reverse Engineering. He also has performed various Security Audits for both Government and private clients. He has been a speaker at Cybersecurity conferences such as NullCon Goa 2016, 2017, 2018, GNUnify 2017, Defcamp Romania 2017, 2018, BSidesDelhi 2017, c0c0n x 2017, EFY 2018, x33fcon2018, BlackHat USA 2018, Defcon USA 2018, and OWASP Seasides 2019 Goa. He has been a Trainer for Practical Industrial Control Systems (ICS) hacking training, delivered in x33fcon2018, 2019, HIP 2018 and also delivered training for IoT hacking in HITB 2017, HIP 2017, BlackHat Asia 2018 and private clients in London, Australia, Sweden, Netherlands etc. He is an active member of null open community and is also a part time DJ.

Village Title: Car Hacking Village

Abstract : Today, all vehicles are connected through V2X technologies. The manufactures are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third party vendors which are still in a vulnerable state. So, addressing their weakness requires specific skillset in cybersecurity of vehicle industries. In this CAR Hacking Village, audience will get hands on experience to play with all kind of car components which is presents in all CAR. Along with this village, there will be CTF on CAR hacking. During this Village, the speaker will provide Virtual machine which will be having the entire necessary toolkit. This can be used post this Village for Vehicle security testing.

About : Nikhil Bogam is an automotive expert in Safety and Security. His areas of interest are ECU security, CAN, LIN Network Security. He also has experience in Security Design, Implementation in Automotive products. He has 13 years of experience in automotive product development. In his tenure, he worked with Hella, Tata Elxsi, Continental and for many Car manufacturers like BMW, Honda, VW. Currently, he is working with Lear Corporation. He has delivered a workshop at OWASP Seasides 2019 Goa on CAR Hacking. He likes cycling and trekking.

Village Title: Car Hacking Village

Abstract : Today, all vehicles are connected through V2X technologies. The manufactures are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third party vendors which are still in a vulnerable state. So, addressing their weakness requires specific skillset in cybersecurity of vehicle industries. In this CAR Hacking Village, audience will get hands on experience to play with all kind of car components which is presents in all CAR. Along with this village, there will be CTF on CAR hacking. During this Village, the speaker will provide Virtual machine which will be having the entire necessary toolkit. This can be used post this Village for Vehicle security testing.

About : Hrishikesh Somchatwar is a Hardware Security Intern at Amynasec Labs. His research paper has been accepted at IEEE conferences such as Tencon 2018. He is the OWASP Nagpur Chapter Leader and is also an active speaker. He has keen interest in Hardware and RF Hacking. Apart from security, he has been a Lead Hardware Innovator at National Innovation Foundation and Makers Asylum for SDGs.

Village Title: Car Hacking Village

Abstract : Today, all vehicles are connected through V2X technologies. The manufactures are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third party vendors which are still in a vulnerable state. So, addressing their weakness requires specific skillset in cybersecurity of vehicle industries. In this CAR Hacking Village, audience will get hands on experience to play with all kind of car components which is presents in all CAR. Along with this village, there will be CTF on CAR hacking. During this Village, the speaker will provide Virtual machine which will be having the entire necessary toolkit. This can be used post this Village for Vehicle security testing.

About : Kartheek is an automotive security Intern at Amynasec labs LLP. He is also working with bi0s hardware security team in the field of Automotive security. kartheek is persevering his Third-year undergraduate education in Mechanical Engineering at Amrita Vishwa Vidyapeetham. Along with his studies, Kartheek is working on drafting blogs and practising automotive attacks.

Village Title: Car Hacking Village

Abstract : Today, all vehicles are connected through V2X technologies. The manufactures are coming with new technologies which can be added technologies for Vehicle industries like Fleet management systems, diagnosis toolset etc. These systems are from third party vendors which are still in a vulnerable state. So, addressing their weakness requires specific skillset in cybersecurity of vehicle industries. In this CAR Hacking Village, audience will get hands on experience to play with all kind of car components which is presents in all CAR. Along with this village, there will be CTF on CAR hacking. During this Village, the speaker will provide Virtual machine which will be having the entire necessary toolkit. This can be used post this Village for Vehicle security testing.

About : Ashutosh is a 21-year old applied cryptography and system security enthusiast interested in Elliptic Curve Crypto and automated security analysis of cryptographic protocols and their implementations. He is one of the leads of team bi0s, a “Capture The Flag” team that has been ranked number-1 in India for the past 3 consecutive years and is currently ranked among the top 25 CTF teams across the world. Previously he has been invited to speak at DEFCON 26 Crypto Village andBSides SF 2018. He is also the only undergraduate student to receive a scholarship to attend Elliptic Curve Cryptography Summer School 2017,held in Radboud University, Netherlands. Currently, Ashutosh is pursuing his final year undergraduate studies inComputer Science at Amrita Vishwa Vidyapeetham. In his free time, he loves playing CTFs, reading, replicating crypto-based vulnerabilities in cryptographic libraries and software, making open source tools and libraries that help make the process of learning cryptography easier!

Talk Title: Security Analysis of end-to-end encryption in chat applications

Abstract : End-to-End (E2E) encryption has found its extensive use in chat applications in the last few years, so much that has become a part of our daily lives, ensuring that the chats remain private only to the sender and the receiver and that they are not tampered with during transmission. In this talk, the speaker will be discussing various technicalities and challenges involved in implementing end-to-end encryption in chat applications. The talk is divided into four phases. In the first phase, we will try to answer what exactly is end-to-end encryption and how some app simplement it to ensure confidentiality. We will also discuss how TLS was used in chat applications before E2E came into existence, its limitations and hence discuss the need for E2E encryption. The second phase involves technical analysis of a part of the Telegram's MTProto protocol. In the third phase, we will try to understand one of the vulnerabilities that existed in Telegram back in 2014, with the potentiality of a backdoor that could allow servers to decrypt so-called end-to-end encrypted messages. We will look at other security and privacy related controversies in Telegram in this phase. In the last phase, we will discuss various implications and trade-offs involved in a fully-private chat application and finally conclude with trying to answer the question -- Is Telegram secure?

About : Umang Raghuvanshi is a Security Researcher at Secfence. His area of expertise is iOS kernel and browser research. He is a contributor to every iOS jailbreak since iOS 11.2 and is a member of the Electra jail break team.

Talk Title: The Art of WebKit Exploitation

Abstract : The WebKit browser engine powers the Safari browser on iOS and macOS and is also used in platforms like the Nintendo Switch, Sony PlayStation and even the entertainment unit in Tesla cars. Despite receiving significantly more security patches than other browser engines, it remains a favourite target for exploitation in contests like Pwn2Own.This talk presents the audience with an overview of the JavaScriptCore JavaScript Engine used in WebKit, its collection of interpreters and JITcompilers, security mitigations, exploitation techniques and closes with exploiting it to achieve arbitrary memory read/write using a previously disclosed vulnerability.

About : Vicky is a Principal Researcher in the Unit 42, Threat Intelligence Team of Palo Alto Networks for the Asia Pacific region where he spearheads research mainly on cybercrime and cyber espionage campaigns. Vicky is also nominated by INTERPOL Global Complex forInnovation (IGCI) as a cybercrime expert to collaborate on investigations coordinated by INTERPOL. Prior to joining Palo Alto Networks, he was leading the Cyber Incident Response team at Barclays for the Asia Pacific region. Vicky was actively involved in identifying and responding to targeted attacks, analyzing unknown malware and attributing the attacks to the threat actors. Vicky has assisted law enforcement globally in providing actionable intelligence on threat campaigns that were key in identifying cybercriminals, and has extensive experience in building and managing Company Emergency Response Team (CERT) and Security Operations Center (SOC) teams. Vicky holds a Master’s degree in Information Systems from Nanyang Technological University, a Bachelor's Degree in Computer Applications from Bangalore University and various SANS GIAC certifications.

Talk Title: The Magic of Tracking APT Campaigns Using Data Science

Abstract : Data Science is a field which uses scientific methods, statistics and algorithms to discern and extract insights from various types of datasets and is a critical component of Machine Learning and AI based solutions. While the use of data science techniques and methodologies is frequently used in various fields, including cybersecurity products and technologies, it is not commonly used operationally or part of the tools used by cyber threat analysts, defenders or researchers when investigating, hunting or analysing attack campaigns. One of the biggest challenge cyber security defenders face is the sheer volume of attack data and samples, which takes a significant amount of time to analyse and make sense of. For example, when analysing unknown malware samples, a large amount of time is spent by malware analysts and reverse engineers to perform analysis on individual malware samples and determine if the samples belong to a known malware family, a new variant or a new family altogether. This talk will discuss the benefits of using data science when investigating attack campaigns and will cover some of the techniques and algorithms like jaccard-index and min hashing algorithms that can be used to extract and discern patterns which can significantly reduce analysis times during investigations. The talk will include real word cases investigated by Unit42, the threat intelligence team of Palo Alto Networks and show how some data science techniques were pivotal in getting a better understanding of the attack campaigns during specific investigations, including tracking APT/nation state threat actors in the Asia Pacific region. Due to the results obtained from using such data-science methods, many other interesting observations were extracted, such as the working days and hours of the week of the threat actors.

About : Ashwin Vamshi is a Security Researcher at Netskope. He has an innate interest in targeted attacks and malwares using cloud services. His research has been quoted in Forbes and also in several Infosec magazines and online portals. Ashwin primarily focusses in identifying malwares, campaigns and threat actors which use ‘cloud as an attack vector’.

Talk Title: Phishing in the cloud era

Abstract : Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect. The attackers not only craft a “near original” phishing bait but also make it hard for security products to detect such attacks. The speaker’s year-long research focused on analysing this new wave of phishing attacks and assessing the criminal and logistical significance of abusing popular cloud services solves two problems - It brings awareness to the dangers of treating any cloud service as inherently trusted. - It provides techniques we can use to defend against new phishing techniques that abuse cloud services. The motive is to educate the audience about the new wave of sophisticated attacks abusing highly trusted services like Google and its App engine APIs, object stores in AWS/ Azure/ GCP and other Tier-1 SaaS applications.

About : Vladimir graduated from Ural State Technical University with a degree in information security of telecommunication systems. He started his career as a security engineer at Russian Federal Space Agency. His research interests are ICS, IoT like smart toys, TVs, smart city infrastructure and threat intelligence. Vladimir joined Kaspersky Lab in 2015 as a security researcher. He has participated in various security conferences as a speaker, like SAS, ZeroNights, S4, CSS, GeekPwn, Europol etc. Vladimir is also a co-founder of Kaspersky Industrial CTF. He is a part of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT in Kaspersky Lab.

Talk Title: Schrödinger 0-day in SCADA

Abstract : BlackEnergy/ Sandworm is a well-known group operating at least since 2010 and famous, among other things, for its attacks on industrial control systems. It received much media attention in 2015, after an attack on a Ukrainian power grid company, which resulted in power blackouts in several regions. Although the group remained under the radar for a while, it caught researchers’ attention again last year. Even though their toolset had completely changed over time, certain techniques remained the same, specifically the use of exploits for various software vendors’ products, including SCADA systems. One specific zero-day vulnerability in a popular SCADA system, which the group exploited for several years to attack industrial organizations, remained unknown and the Kaspersky Lab ICS CERT team investigated a possible attack scenario. We would like to tell you about the exploitation of the possible zero-day vulnerability in the vendor’s software and reconstruct the attack by showing a live demo.

About : Sergey is an active member of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT. His research interests are fuzzing, binary exploitation, penetration testing and reverse engineering. He started his career as malware analyst in Kaspersky Lab. Sergey has OSCP certification. Vladimir graduated from Ural State Technical University with a degree in information security of telecommunication systems. He started his career as a security engineer at Russian Federal Space Agency. His research interests are ICS, IoT like smart toys, TVs, smart city infrastructure and threat intelligence. Vladimir joined Kaspersky Lab in 2015 as a security researcher. He has participated in various security conferences as a speaker, like SAS, ZeroNights, S4, CSS, GeekPwn, Europol etc. Vladimir is also a co-founder of Kaspersky Industrial CTF. He is a part of Critical Infrastructure Defense Team (CID-Team) and Kaspersky Lab ICS CERT in Kaspersky Lab.

Talk Title: Schrödinger 0-day in SCADA

Abstract : BlackEnergy/ Sandworm is a well-known group operating at least since 2010 and famous, among other things, for its attacks on industrial control systems. It received much media attention in 2015, after an attack on a Ukrainian power grid company, which resulted in power blackouts in several regions. Although the group remained under the radar for a while, it caught researchers’ attention again last year. Even though their toolset had completely changed over time, certain techniques remained the same, specifically the use of exploits for various software vendors’ products, including SCADA systems. One specific zero-day vulnerability in a popular SCADA system, which the group exploited for several years to attack industrial organizations, remained unknown and the Kaspersky Lab ICS CERT team investigated a possible attack scenario. We would like to tell you about the exploitation of the possible zero-day vulnerability in the vendor’s software and reconstruct the attack by showing a live demo.

About : Joerg Simon is an active contributor to various Open Source Projects. You can see results of his work as a ISECOM team - member, where he created the OSSTMM - Lab as a platform for teaching security – and within the Fedora-Project, where he works on Security Test Applications like dsniff, unicornscan and others. He maintains the official Fedora-Security Lab and left his traces as a member of the Fedora Board. He is Director of the business division security and audit service at audius GmbH and audius India Private Limited.

Talk Title: OpRisk, the new old security challenge

Abstract : There are security channels like functional safety, fault management and physical risk management and not to forget compliance - which nowadays, are often neglected, misused, ignored or hated. Representatives of these channels - on the other hand - are masters in ignoring the information security eco system. Keeping the operational business running is the real word challenge that we, as a security eco system, try to support with our work. Understanding the context from each field is a huge opportunity and those who can master multi-channel security and operational risks, will have the advantage in the future. The talk will introduce to the specific challenges and catalyze possible ideas.

About : Vaidik joined Grofers in 2015 and since then was involved in a number of projects – from architecting their cloud infrastructure, to designing infrastructure governance, to re-architecting some of the backend systems, to leading the engineering team of Grofers.com product from scratch. He is a big believer in DevOps and Lean Production methodologies and influences the tech teams to adopt DevOps the right way. Currently, he is working as VP Engineering for DevOps & Security, working towards driving DevOps and security culture across all engineering teams and enabling them to move fast and break nothing.

Talk Title: Scaling Security

Abstract : DevOps helps you speed up delivery while not compromising on quality and service levels. It brings devs and ops together to collaboratively work on organization goals but innovation and stability. However, what happens to security in all this? How do you speed up security in your delivery process without compromising it? How do you scale security? Can we ensure security while not compromise speed? In this talk, we will talk about some practical lessons we learned while designing security systems and processes at Grofers to ensure scaling of security practices and culture while scaling up our teams, systems and business.

About : Ravinder Verma has been in the IT industry for more than 4 years as a security engineer. Since 2017 Ravinder has worked as security consultant for IBM X-Force Red. He holds multiple industry certificates including: Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (C|EH), CCSK and ISO 27001 Lead Auditor. He holds a Master’s degree in Cyber Law & Information Security and an engineering degree in Computer Science.

Talk Title: Comprehensive approach to Anonymity

Abstract : I introduce a novel methodology which is censorship resistant from the deep packet inspection by the censors or ISP and fortified by malicious exit nodes using VPN technology. To achieve this, I have done the survey to collect data about the preferences they sought with TOR privacy, security & performance. And depending upon that, I categorize the threat model and the respective security model. I believe that as high-speed anonymity networks become readily available the aforementioned security model based on threat models will prove significant and compelling.

About : Piyush Raj who also goes by the alias name "0x48piraj", is an 18 y/o college sophomore who is impassioned about finding vulnerabilities everywhere and has found and responsibly disclosed vulnerabilities in Motorola, Canon (CVE-2019-14339), Mozilla Firefox Browser for Android & iOS, Node.JS, Intel, Samsung, LG Electronics, Google Science Fair 2018 Portal, I.I.T. Bombay & Madras, Cornell University, UNESCO, The United Nations, Dutch & Indian Government and many others.

Talk Title: Server fingerprinting: How I broke most famous recon tools and made the script kiddies sad

Abstract : The web is a funny old place. One creates a wonderful application, deploys it for the world to see and suddenly, everybody just wants to break it. Every hacker uses reconnaissance tools to get a feel about the target. This talk will attempt to show that how these tools work under the hood and how this information can be then used to improve the defensive posture of modern web applications while causing headaches for the average script kiddies or scanner monkeys. This session will show you breaking/fuzzing/fooling some of the most common security tools used for fingerprinting. There will be (possibly frightening) live demos breaking Nmap, Wappalyser, Nikto and what can be done about it. After successfully breaking those tools, we'll explore what can be done to circumvent those attacks and how machine-learning can be used in security. A full circle of scenarios of attacks will be demonstrated and all the tools presented in the talk will be released under open-source license.

About : Wasim is responsible for driving the growth strategy for PublicisSapient's IT modernization value proposition and runs Cloud, DevOps, Security & SRE practice & COE worldwide. Apart from building a service portfolio, corporate strategic alliances, he is also responsible for delivery. He is accountable for defining engineering competency and scaling capabilities. He is a fan of change and has been reskilling his team's capabilities to be relevant to create business impact.

Talk Title: DevSecOps – a headwind or tailwind

Abstract : Security is of data is prime. Integrated it into the DevOps pipeline can prevent discovering issues in the productionization stage. However it can be a headwind against agility. Our goal should be to deliver products that delight customers. Let’s discover is security become a headwind or tailwind by really helping us delivering secure and quality solutions.

About : Riddhi Shree is an Application Security Analyst at Appsecco. She started her career in Information Security one and a half years ago. Prior to this, she had been working as Quality Analyst and a Scrum Master in different organizations. She is the chapter leader for null open source security Community in Bangalore. She has spoken at Offensive Security Conference Bangalore by ISC2. She has conducted training and workshop at c0c0n and BSides Delhi security conferences. She is an avid learner, and she enjoys experimenting with new ideas. The vulnerable Android app VyAPI is the outcome of one such experiment. Riddhi is the developer and maintainer of the vulnerable VyAPI Android app.

Talk Title: DevSecOps – a headwind or tailwind

Abstract : VyAPI is a hybrid Android app that's vulnerable by design. We call it VyAPI, because its flaws are pervasive and it communicates not just via IPC calls but API calls, too. Amazon Cognito has been used to handle authentication, authorization and user management. AWS Amplify Console has been used to consume the Authentication APIs provided by AWS Amplify Authentication module. Room persistence library has been used to handle data in the local SQLite database. GLide API has been used to load images. AndroidX libraries and JAVA programming language have been used to develop the business logic of VyAPI Android app. We know how to attack activities, but, what could change with fragments coming into the picture? There might be a case where we just have one activity, but multiple fragments (each rendering a different functionality) in our Android app. VyAPI will allow you to experience this behavior of our modern day Android apps.

VyAPI is different not only in terms of its look and feel, but also in terms of latest technologies being used to build it. Following primary tools and technologies have been used to develop VyAPI:

• 1. AWS Amplify CLI
• 2. AWS SDK for Android 10
• 3. Amazon Cognito
• 4. OpenJDK 1.8.0_152-release
• 5. Glide v4
• 6. Room Persistence Library
• 7. Gradle 5.1.1

Modern technologies are eliminating security risks by blocking vulnerable features by default. However, not all vulnerabilities could go away that easily. Also, with new technologies come new security vulnerabilities. Security misconfigurations, business logic flaws, and poor coding practices are evergreen vulnerabilities. VyAPI is the vulnerable hybrid Android app which can be used by our security enthusiasts to get a hands-on experience of a variety of modern and legacy Android app vulnerabilities. In this talk, you will primarily get to know how to exploit following vulnerabilities:

• 1. Broken Authorization due to security mis-configurations in Amazon Cognito setup
• 2. Vulnerable Activity
• 3. Vulnerable Service
• 4. Vulnerable Broadcast Receiver
• 5. SQL Injection through Content Provider
• 6. Hard Coded Secret
• 7. Insecure Data Storage
• 8. Business Logic Flaw
• 9. Insecure Coding Practices

About : Amit is working as a Security Researcher with Adobe. He has 10+ years of experience in software security and development. He has contributed to various cloud security tools and automations to achieve security and compliance at Adobe. His areas of interests are security automation, instrumenting security in DevOps and Fuzzing. He had done masters in computer science and information security from IIIT-Hyderabad. He is an AWS certified security specialist.

Workshop Title: Instrumenting Security Automation in CI/CD

Abstract : In today’s fast-paced world, integrating the security tooling with continuous delivering is necessary to achieve security and compliance goals. As continuous delivery is used to build, test and deploy code rapidly, automation is the only way to address or mitigate security risks. Therefore, we propose a lab to show and experiment with security automation strategies around the CI/CD. The session will feature, how the principles, practices, and tools of DevSecOps can improve the security of the product. Furthermore, we will discuss the secure CI/CD pipeline setup and various security automation strategies around this CI/CD with some examples for demo. The audience will be given a running service and Jenkins set up for the lab. Attendees will learn to set up a CI/CD pipeline using Jenkins and Docker and perform hands-on exercises to instruments security in CI/CD

About : Gineesh is working as a product security researcher in Adobe and has over 9 years of experience in multiple security domains, specializing in Application Security along with deep knowledge of Threat Modelling and guiding teams on adoption and execution of a Secure Product Life Cycle. He is OSCP and RHCE certified.

Workshop Title: Instrumenting Security Automation in CI/CD

Abstract : In today’s fast-paced world, integrating the security tooling with continuous delivering is necessary to achieve security and compliance goals. As continuous delivery is used to build, test and deploy code rapidly, automation is the only way to address or mitigate security risks. Therefore, we propose a lab to show and experiment with security automation strategies around the CI/CD. The session will feature, how the principles, practices, and tools of DevSecOps can improve the security of the product. Furthermore, we will discuss the secure CI/CD pipeline setup and various security automation strategies around this CI/CD with some examples for demo. The audience will be given a running service and Jenkins set up for the lab. Attendees will learn to set up a CI/CD pipeline using Jenkins and Docker and perform hands-on exercises to instruments security in CI/CD

About : An accomplished security professional with over a decade of experience in information security solution engineering, services, vulnerability research, reverse engineering and security tools development. Experienced in security solution development using CloudNative and Kubernetes Native technologies. Developed tools and technology to find vulnerabilities in web applications, network servers, client-side applications. Conducted product security audit of enterprise applications and credited with vulnerability discovery (CVE) for the same. Credited with multiple vulnerability discovery across enterprise products with CVEs to his name such as CVE-2015-0085, CVE-2015-1650, CVE-2015-1682, CVE-2015-2376, CVE-2015-2555, CVE-2014-4117, CVE-2014-6113. An active participant of NULL – India's largest open security community as a core team member responsible for technology development. As an open source software contributor, he has developed or contributed to multiple projects including:

• Wireplay
• Penovox
• HiDump
• RbWinDBG

Workshop Title: Software Vulnerability Discovery using Static Analysis and Fuzzing

Abstract : The objective of this workshop is to introduce participants familiar with vulnerability assessment and penetration testing to the art of discovering software vulnerability through static code analysis and fuzzing. The workshop will provide a getting started experience and discussion space for anybody interested in navigating source code to identify potential attack surfaces, which in turn can be fuzzed in a targeted manner to discover potential vulnerabilities. Familiarity with reading C/C++ is preferred. Ability to read and understand other people's code (in any language) is highly recommended for participants.

About : Ashfaq Ansari a.k.a "HackSysTeam" is a vulnerability researcher and specializes in software exploitation. He has authored "HackSys Extreme Vulnerable Driver (HEVD)" which has helped many folks to get started with Windows kernel exploitation. He holds numerous CVEs under his belt and is the instructor of "Windows Kernel Exploitation" course. His core interest lies in Low Level Software Exploitation both in User and Kernel Mode, Vulnerability Research, Reverse Engineering, Hybrid Fuzzing and Program Analysis.

Workshop Title: Software Vulnerability Discovery using Static Analysis and Fuzzing

Abstract : The objective of this workshop is to introduce participants familiar with vulnerability assessment and penetration testing to the art of discovering software vulnerability through static code analysis and fuzzing. The workshop will provide a getting started experience and discussion space for anybody interested in navigating source code to identify potential attack surfaces, which in turn can be fuzzed in a targeted manner to discover potential vulnerabilities. Familiarity with reading C/C++ is preferred. Ability to read and understand other people's code (in any language) is highly recommended for participants.

About : Adam Laurie aka rfidiot aka Major Malfunction is an old school hacker who's been breaking things since before PCs and the Internet were a thing. His specialty is hardware / embedded reverse engineering in general, and low level OTA protocols and crypto in particular. He has spoken over the years on Bluetooth, RFID/NFC, Magstripe, Zigbee, DVB-T/S and many other subjects. He has been DEF CON Quartermaster for over 20 years and runs the London DC chapter DC4420. In his spare time he likes to hack stuff.

Workshop Title: Building a GEN2 UHF RFID Reader with SDR

Abstract : There are two types of RFID - those that use INDUCTIVE COUPLING like NFC and those that use RF like GEN2 UHF as per the title. NFC has been widely covered and exploited in the hacking scene, but UHF really has not, other than a few "long range" experiments. However, UHF is now being widely adopted for all kinds of interesting applications, from vehicle gateways on toll roads and border crossings to goods and inventory tracking in logistics. Even airline luggage will soon be sporting fancy e-paper tags with UHF tracking enabled, but how safe is that going to be? What research has been done in this area? Well, before hackers can start researching they need the tools, and this workshop will cover the first step in creating those tools... Building your own SDR controlled UHF RFID reader gives you the power to dig right down into the guts of the protocol and start fooling around... Who knows what you'll find? We will be implementing a reader using the BladeRF platform, and will cover "gotchas", tips and tricks to better understand how to get this working and your UHF hacking project under way...

About : Shruti is a 19 year old CTF player who is pursuing her BTech in Computer Science and Engineering at Amrita Vishwa Vidyapeetham. She loves indulging in stripping the binaries apart and exploiting bugs which are hidden under the hood of the boring-looking disassembled code. She is currently a part of TeamShakti -the leading women-only CTF team from India. Also, being an active player in the team she participates in various CTFs conducted at both national and international level. She was also granted student scholarship for attending BHASIA 2019 which is an elite Cybersecurity conference held annually at Singapore.

Workshop Title: Intro to Dark Arts: Getting Started with CTFs

Abstract : This workshop will introduce the participants to the world of CTF contests as a way to learn real-world security skills. It will provide them the basic knowledge for playing CTF and how to get started with solving hands-on challenges in the domains of Cryptography, Reverse Engineering and Binary Exploitation. The workshop will consist of hands-on sessions for each domain as mentioned below to help participants get familiarized with the tools and libraries for each corresponding domain. - Cryptography is the art of disguising confidential data from eavesdroppers and making it accessible only to the authorized parties. It is built from the Number theory, a branch of pure mathematics devoted primarily to the study of integers.  - Reverse Engineering, mainly includes understanding assembly language and reversing obfuscated Linux binaries. The attendees will get to learn about the usage of tools such as GDB and GHIDRA for dynamic analysis and IDA for static analysis.  - Binary Exploitation is the art of ripping the binaries apart in order to find vulnerabilities and exploit them to spawn a shell on the server. The session will cover topics ranging from basic buffer overflow to learning overwriting return addresses and defeating ASLR.

About : Neelam Singh Gurjar is currently learning and practicing offensive and defensive Cryptography. She is a part of TeamShakti -the leading women-only CTF team from India. TeamShakti got into the arena of capturing flags this year and is one among the 3 only women-only CTF teams worldwide. Also, being a part of the team she actively participates in various CTFs conducted at both national and international level. She is currently pursuing her BTech in Computer Science and Engineering at Amrita Vishwa Vidyapeetham

Workshop Title: Intro to Dark Arts: Getting Started with CTFs

Abstract : This workshop will introduce the participants to the world of CTF contests as a way to learn real-world security skills. It will provide them the basic knowledge for playing CTF and how to get started with solving hands-on challenges in the domains of Cryptography, Reverse Engineering and Binary Exploitation. The workshop will consist of hands-on sessions for each domain as mentioned below to help participants get familiarized with the tools and libraries for each corresponding domain. - Cryptography is the art of disguising confidential data from eavesdroppers and making it accessible only to the authorized parties. It is built from the Number theory, a branch of pure mathematics devoted primarily to the study of integers.  - Reverse Engineering, mainly includes understanding assembly language and reversing obfuscated Linux binaries. The attendees will get to learn about the usage of tools such as GDB and GHIDRA for dynamic analysis and IDA for static analysis.  - Binary Exploitation is the art of ripping the binaries apart in order to find vulnerabilities and exploit them to spawn a shell on the server. The session will cover topics ranging from basic buffer overflow to learning overwriting return addresses and defeating ASLR.