All presentations in Polish will be translated into English.
DAY ONE SEPTEMBER 15TH, 2015, TUESDAY
Mirosław MAJ / Cybersecurity Foundation
Malware evolution: Understanding the approach taken to bring down the Beebone botnet in collaboration with global law enforcement.
Raj SAMANI / Intel Security
Beebone is an example of polymorphic malware – malware that changes its form and even control servers with every new infection. The criminals have evolved the threat to make detection and remediation as difficult as possible. This is the epitome of zero-day malware because the typical artifacts used to write signatures or to update blacklists (e.g., file hash, control server IP address, etc.) are different in each attack, making the attack evasive and readily able to spread to new machines across a network. This is exactly why the “catch me if you can” material about Beebone gives us so much to talk about.
McAfee Labs stayed ahead of Beebone, developing an automated system to make protection available through McAfee GTI as new attacks were identified. The McAfee Labs zoo now contains more than five million unique W32/Worm-AAEH (Beebone) samples – a significant number for a single botnet. This volume of samples illustrates how rapidly polymorphic malware changes and how difficult it can be to stay ahead of it.
The Naked Hacker: Bringing Radical Transparency into Pentesting
Melanie RIEBACK / Radically Open Security
Over the last 1.5 years, our geographically distributed pentest team has been taking “crystal box” to another level. We open-source our internal SW and documents, and using tools like IRC/RocketChat and Gitlab, customer “volunteers” on our pentests see all, hear all.. and can actively hack along. The result is interesting: close-knit collaboration, mid-pentest scope changes, weird/funny situations, and Security ChatOps. This talk will discuss our experiences bringing Radical Transparency into the pentesting process.
THE TWO WHO INTENDED TO UNDERMINE A TELCO’S REPUTATION – CASE STUDY
Krzysztof BIAŁEK / Orange Poland
At each step we can come across on how we should behave in the world of the Internet, not to fall prey to frauds and phonies. Many of us carefully approaches reading e-mails from strangers. Usually we also don’t open suspicious-looking attachments. But what if the attacker impersonates skillfully under the well-known institution? What consequences may cause opening one e-mail too many?
APT29 i Hammertoss
Michał OSTROWSKI, Tomasz PIETRZYK / FireEye
The so-called „state-sponsored” (government-supported) attacks have become mostly known as a result of the Madiant APT1 report. That report presented the cyber-espionage related activities run by a group located in China. The newest, most significant cyberspying ectivities, described in the APT29 group report, will be presented. This group is linked to the Russian cyberspying activities.
MALWARE CODE EVOLUTION, INNOVATIVE MODEL OF DEFENCE AGAINST MALWARE, CASE STUDY
Juan SANTESMASES / Panda Security
The concept is based on the classification of all (!) executed processes on the security scale and the monitoring of the applications in real time. Built successively for several years the processes catalog has more than 1.2 billion items, the solution guarantees 100% protection both in case of advanced dedicated attacks and Zero-Day attacks. We present a case study and will show the measurable differences with other security models.
Masking APT with DDOS
Oğuz YILMAZ / Labris Networks
Intrusion prevention systems have generally a limited packet processing capacity. This processing capacity has easily be filled up with high packet rate ddos attacks using common attack vectors. An infiltration case study will be presented.
Meanders of Streaming – Fraud Cases
Radosław MATULEWICZ / KWP Szczecin
Alternative Means of Communication in Guerrilla Operations
Adam HAERTLE / ISACA
3 case studies: Hezbollah & Hamas Telecommunications Solutions in a response to the Israeli intelligence operations, communication networks of the Mexican drug cartels, and steganography in the public radio in combating the guerilla warfare)
Krzysztof Surgut / Data Invest
The presentation will show the origins of the new Scrubbing Center in Poland. We will discuss the basic assumptions, requirements and the way the construction Scrubbing Center, as well as criteria for selecting a solution. Moreover, It will also be presented propaedeutics Scrubbing Center.
HOW TO BUILD AND MAINTAIN A SECURE APPLICATION. A BANK BREAK-IN CASE STUDY
Wojciech DWORAKOWSKI / OWASP Polska
This year a news about breaking into an internet banking system of a Polish bank has hit the media. The case was interesting enough, since (according to the published information) the break-in author was an acting alone intruder who managed to take over the servers’ of the internet banking system control, stole the customers’ money and caused a serious impact on the bank’s reputation. I will present the likely intruder’s courses of action, the vulnerabilities he has exploited, but above all I will discuss the methods and tools to lower the risk of the occurrence of such cases. I will present the OWASP tools and documents which help to build and maintain secure applications.
DAY TWO SEPTEMBE 16TH, 2015, WEDNESDAY
Mirosław MAJ / Fundacja Bezpieczna Cyberprzestrzeń
REPUBLIC OF POLAND CYBERSPACE DEFENCE – THE CONTROLLED UNITS’ REACTIONS TO THE FINDINGS AND CONCLUSIONS FORMULATED BY THE SUPREME AUDIT OFFICE – REALISATION OF THEIR DUTIES IN THE CYBERSPACE PROTECTION BY THE STATE ENTITIES
Tomasz SORDYL / Supreme Audit Office (NIK)
Case Study of Frauds in Auction Website “From Email to ATM”
Dawid GOLAK, Błażej MIGA / Allegro
THE CLOUD: COVERTNESS AS A SERVICE
Raphaël VINOT / The Computer Incident Response Center Luxembourg (CIRCL)
This presentation will explain how a group used uncommon devices to exfiltrate information, cloud services providers and localized network resources to hide it’s activities in the middle of legitimate looking traffic localized network resources.
WHAT IT SECURITY EXPERT SHOULD KNOW ABOUT CHINESE ECONOMIC INTERNET FRAUD PERPETRATED
Piotr CANOWIECKI / ExamineChina.com
Case study on the four most popular frauds, the Polish companies fall victims to. Criminal activities scheme, symptoms that should arouse our vigilance and the risk reduction ways will be described for each of the cases. At the beginning the good practices will also be discussed.:
– “Big Order Scam”. Large order fraud, not only the importers fall victims.
– “Prepayment Phishing”. When an active company does not send the item for which we have paid. – “The substitution of your bank account number”. Who and how is doing it? What are the OSA and NRA accounts, and why you need to be cautious?
– “Fraud in the name of a nonexistent company”. Does its website prove the existence of a Chinese company?
Marcin DUDEK / ComCERT
Although this industry protocol is more than 30 years old, it is still widely used all over the world. A dynamic growth of the cloud popularity also influences the industrial control systems, including the critical infrastructure. Nowadays it is a big challenge for security experts, especially dealing with such an old protocol. Possible and realistic Modbus protocol attacks and ideas for its defense will be presented on the real devices.
CHASING DOWN BAD GUYS IN ANDROID STORES
Adolfo HERNÁNDEZ / Eleven Paths
Massive interconnectivity, the expected outcome of globalization, together with mobile device proliferation, are the top infosec hot topics so far. With more than 2.000 million smartphones in the world (as per in 2014), an epic number of 16 million mobile devices now in circulation in the world are currently infected by some sort of malware, with a 36% YoY growth. The number of mobile banking trojans is nine times higher than in the same period of 2014. So that, security threats within the mobile world are growing incessantly: specific attacks, aggressive adware, fake applications performing like genuine ones only to steal information and consume services on a second level, etc. These threats continue actively available on the markets long enough to affect thousands of users. The high dynamism of the apps markets and the incredibly fast rate of appearance of new applications in them has brought the traditional countermeasures to the edge of failure in their fight against malicious developers.
Dawid PACHOWSKI, Patryk TENDERENDA, Michał SZKLARSKI / Warsaw University of Technology
It will be shown, how easy it is to get around the mobile application safeguards. An example would be a program that stores the encrypted notes, running entirely on the device (i.e. offline). The speakers will decompile the program and present a short analysis of the obtained code to the listeners. The discovered errors will be discussed, not only development-related, but also business logic-related. An incentive to this presentation is to show how often the programmers (and not only) forget about the application security, when coding.
Zuzana DURAČINSKÁ / CSIRT.CZ
As a result of DDoS attacks that effected number of media, banks and providers in Czech republic in 2013 there were number of changes on the Czech cyber security field. There are activities that helped to build what we can call today rather strong cyber security community. As a result there are 22 oficially recognized CERT/CSIRT teams by Trusted Introducer and number of teams which might not have official status but provide very good services in the field of security. But these DDoS attacks were not the only trigger that helped to build so many security teams. In my presentation I will introduce more projects and activities that we find very effective while building the trust and cooperation among the partners
PANEL DISCUSSION – Polish Army Cyber Volunteers
Andrzej Zybertowicz – Chief Adviser, National Security Bureau and the President of Poland
Maciej Pyznar – National Security Bureau
Representative of the Ministry of National Defence
Mirosław Maj – Cybersecurity Fundation
END OF THE CONFERENCE – PRIZE DRAW
SEPTEMBER 14TH, 2015, MONDAY
The exercises carried out by the Cyber Europe 2014 winning team:
The workshop will be conducted by the ComCERT.PL representatives:
CERT Games are key defense exercises for ICT infrastructure organisation.
- Exercise objective:
The aim of the exercise is to develop the proper habits and practice in handling incidents and defend against attacks targeting the IT infrastructure. In the exercise, the participants are confronted with an existing infrastructure, containing, inter alia, Web server, mail server, file server and DNS server. The participants will attempt to defend these resources using all possible defensive techniques. It will be required to present an ability to carry out the activities related to proper protection of the infrastructure entrusted to them, attack detection and rapid decision making related to the threat occurring. An additional advantage of the exercise will be a possibility of evaluation of the ability of those who are delegated to participate, in group-work and group problem-solving. The teams will evaluated throughout the duration of the exercise, in order to assess the undertaken actions’ effectiveness. The exercise ends with the team results’ presentation and an additional discussion panel aimed at discussion of the undertaken actions and the optimal strategy.
- The worksop is intended for:
- ITT systems administrators
- ITT security specialists
- The workshop includes:
- detecting attacks targeting the infrastructure uder participants‘ protection
- detection configuration and services‘ vulnerabilities
- log and network traffic analysis
- system hardening
- The requirements for the participants:
- basic knowledge of Linux systems administration
- knowledge of network protocols, and the ability to analyze network traffic
- basic knowledge of IT security
- ability to analyse the popular services’ logs
- It it expected from the participants:
- to bring their own laptop with an ethernet card or WiFi
- to have Open VPN, VNC client, ssh client and a web browser installed on their laptops.
Questions regarding the workshop can be sent to: [email protected].