AGENDA 2015

Image

All presentations in Polish will be translated into English.

PROGRAM

DAY ONE              SEPTEMBER 15TH, 2015, TUESDAY

8:00               9:00

REGISTRATION

9:00               9:15

OPENING ADRESS

Mirosław MAJ / Cybersecurity Foundation

9:15              9:45

Raj_SamaniMalware evolution:  Understanding the approach taken to bring down the Beebone botnet in collaboration with global law enforcement.

Raj SAMANI / Intel Security

Beebone is an example of polymorphic malware – malware that changes its form and even control servers with every new infection. The criminals have evolved the threat to make detection and remediation as difficult as possible. This is the epitome of zero-day malware because the typical artifacts used to write signatures or to update blacklists (e.g., file hash, control server IP address, etc.) are different in each attack, making the attack evasive and readily able to spread to new machines across a network. This is exactly why the “catch me if you can” material about Beebone gives us so much to talk about.
McAfee Labs stayed ahead of Beebone, developing an automated system to make protection available through McAfee GTI as new attacks were identified. The McAfee Labs zoo now contains more than five million unique W32/Worm-AAEH (Beebone) samples – a significant number for a single botnet. This volume of samples illustrates how rapidly polymorphic malware changes and how difficult it can be to stay ahead of it.

9:45             10:30

Jørgen-WoortmanOperating environment hardening – how to achieve higher level of system resiliency?

Jørgen Woortman  / Microsoft

10:30               11:00

COFFEE BREAK

kawa

11:00               11:40

melanie-riebackThe Naked Hacker: Bringing Radical Transparency into Pentesting

Melanie RIEBACK / Radically Open Security

Over the last 1.5 years, our geographically distributed pentest team has been taking “crystal box” to another level. We open-source our internal SW and documents, and using tools like IRC/RocketChat and Gitlab, customer “volunteers” on our pentests see all, hear all.. and can actively hack along. The result is interesting: close-knit collaboration, mid-pentest scope changes, weird/funny situations, and Security ChatOps. This talk will discuss our experiences bringing Radical Transparency into the pentesting process.

 11:40              12:10

THE TWO WHO INTENDED TO UNDERMINE A TELCO’S REPUTATION – CASE STUDY

bialek-krzysztofKrzysztof BIAŁEK / Orange  Poland

At each step we can come across on how we should behave in the world of the Internet, not to fall prey to frauds and phonies. Many of us carefully approaches reading e-mails from strangers. Usually we also don’t open suspicious-looking attachments. But what if the attacker impersonates skillfully under the well-known institution? What consequences may cause opening one e-mail too many?   

12:10              13:10

LUNCH

talerz

13:10              13:40

MOstrowskiTPietrzykAPT29 i Hammertoss

Michał OSTROWSKI, Tomasz PIETRZYK  / FireEye

The so-called „state-sponsored” (government-supported) attacks have become mostly known as a result of the Madiant APT1 report. That report presented the cyber-espionage related activities run by a group located in China. The newest, most significant cyberspying ectivities, described in the APT29 group report, will be presented. This group is linked to the Russian cyberspying activities.

13:40               14:10

J.Santesmases
MALWARE CODE EVOLUTION, INNOVATIVE MODEL OF DEFENCE AGAINST MALWARE, CASE STUDY

Juan SANTESMASES  / Panda Security

The concept is based on the classification of all (!) executed processes on the security scale and the monitoring of the applications in real time. Built successively for several  years the processes catalog  has more than 1.2 billion items, the solution guarantees 100% protection both in case of advanced dedicated attacks and Zero-Day attacks.  We present a case study and will show the measurable differences with other security models.

14:10              14:40

OYılmazMasking APT with DDOS

Oğuz YILMAZ / Labris Networks

Intrusion prevention systems have generally a limited packet processing capacity. This processing capacity has easily be filled up with high packet rate ddos attacks using common attack vectors. An infiltration case study will be presented.

14:40               15:10

COFFEE BREAK

kawa

15:10               15:40

R.MatulewiczMeanders of Streaming – Fraud Cases

Radosław MATULEWICZ  / KWP Szczecin

15:40               16:10

HaertleAlternative Means of Communication in Guerrilla Operations

Adam HAERTLE /  ISACA

3 case studies: Hezbollah & Hamas Telecommunications Solutions in a response to the Israeli intelligence operations, communication networks of the Mexican drug cartels, and steganography in the public radio in combating the guerilla warfare)

16:10           16:40

surgutScrubbing Center – short history of birth

Krzysztof Surgut / Data Invest

The presentation will show the origins of the new Scrubbing Center in Poland. We will discuss the basic assumptions, requirements and the way the construction Scrubbing Center, as well as criteria for selecting a solution. Moreover, It will also be presented propaedeutics Scrubbing Center.

16:40          17:10

W.Dworakowski
HOW TO BUILD AND MAINTAIN A SECURE APPLICATION. A BANK BREAK-IN CASE STUDY

Wojciech DWORAKOWSKI  /  OWASP Polska

This year a news about breaking into an internet banking system of a Polish bank has hit the media. The case was interesting enough, since (according to the published information) the break-in author was an acting alone intruder who managed to take over the servers’ of the internet banking system control, stole the customers’ money and caused a serious impact on the bank’s reputation. I will present the likely intruder’s courses of action, the vulnerabilities he has exploited, but above all I will discuss the methods and tools to lower the risk of the occurrence of such cases. I will present the OWASP tools and documents which  help to build and maintain secure applications.

             .

 SOCIAL CASE STUDY NETWORKING
glasswine

PROGRAM

DAY TWO              SEPTEMBE 16TH, 2015, WEDNESDAY

9:00               9:15

OPENING ADRESS

Mirosław MAJ / Fundacja Bezpieczna Cyberprzestrzeń

9:15               9:55

REPUBLIC OF POLAND CYBERSPACE DEFENCE – THE CONTROLLED UNITS’ REACTIONS TO THE FINDINGS AND CONCLUSIONS FORMULATED BY THE SUPREME AUDIT OFFICE – REALISATION OF THEIR DUTIES IN THE CYBERSPACE PROTECTION BY THE STATE ENTITIES

Tomasz SORDYL Supreme Audit Office (NIK)

9:55              10:35

Dawid-GolakB.MigaCase Study of Frauds in Auction Website “From Email to ATM”

Dawid GOLAK, Błażej MIGAAllegro

10:35               11:05

R.VinotTHE CLOUD: COVERTNESS AS A SERVICE

Raphaël VINOT / The Computer Incident Response Center Luxembourg (CIRCL)

This presentation will explain how a group used uncommon devices to exfiltrate information, cloud services providers and localized network resources to hide it’s activities in the middle of legitimate looking traffic localized network resources.      

11:05              11:35

COFFEE BREAK

kawa

11:35              12:05

Piotr_Canowiecki
WHAT IT SECURITY EXPERT SHOULD KNOW ABOUT CHINESE ECONOMIC INTERNET FRAUD PERPETRATED

Piotr CANOWIECKI / ExamineChina.com

Case study on the four most popular frauds, the Polish companies fall victims to. Criminal activities scheme, symptoms that should arouse our vigilance and the risk reduction ways will be described for each of the cases. At the beginning the good practices will also be discussed.:
Case studies:
– “Big Order Scam”. Large order fraud, not only the importers fall victims.
– “Prepayment Phishing”. When an active company does not send the item for which we have paid. – “The substitution of your bank account number”. Who and how is doing it? What are the OSA and NRA accounts, and why you need to be cautious?
– “Fraud in the name of a nonexistent company”. Does its website prove the existence of a Chinese company?

12:05              12:35

MarcinDudekModbus Protocol – Created to Be Vulnerable

Marcin DUDEK  / ComCERT

Although this industry protocol is more than 30 years old, it is still widely used all over the world. A dynamic growth of the cloud popularity also influences the industrial control systems, including the critical infrastructure. Nowadays it is a big challenge for security experts, especially dealing with such an old protocol. Possible and realistic Modbus protocol attacks and ideas for its defense will be presented on the real devices.

12:35               13:35

LUNCH

talerz

13:35               14:05

Adolfo-HernándezCHASING DOWN BAD GUYS IN ANDROID STORES

Adolfo HERNÁNDEZEleven Paths  

Massive interconnectivity, the expected outcome of globalization, together with mobile device proliferation, are the top infosec hot topics so far. With more than 2.000 million smartphones in the world (as per in 2014), an epic number of 16 million mobile devices now in circulation in the world are currently infected by some sort of malware, with a 36% YoY growth. The number of mobile banking trojans is nine times higher than in the same period of 2014. So that, security threats within the mobile world are growing incessantly: specific attacks, aggressive adware, fake applications performing like genuine ones only to steal information and consume services on a second level, etc. These threats continue actively available on the markets long enough to affect thousands of users. The high dynamism of the apps markets and the incredibly fast rate of appearance of new applications in them has brought the traditional countermeasures to the edge of failure in their fight against malicious developers.

14:05               14:35

Dawid_Pachowski Patryk_TenderendaMichal_SzklarskiANDROID’S APPLICATIONS  – DANGEROUS
PRACTICE

Dawid PACHOWSKI, Patryk TENDERENDA, Michał SZKLARSKI / Warsaw University of Technology

It will be shown, how easy it is to get around the mobile application safeguards. An example would be a program that stores the encrypted notes, running entirely on the device (i.e. offline). The speakers will decompile the program and present a short analysis of the obtained code to the listeners. The discovered errors will be discussed, not only development-related, but also business logic-related. An incentive to this presentation is to show how often the programmers (and not only) forget about the application security, when coding.

14:35               15:05

Z-DuracinskaHow to develop the internet security response community thanks to crisis?

Zuzana DURAČINSKÁ CSIRT.CZ

As a result of DDoS attacks that effected number of media, banks and providers in Czech republic in 2013 there were number of changes on the Czech cyber security field. There are activities that helped to build what we can call today rather strong cyber security community. As a result there are 22 oficially recognized CERT/CSIRT teams by Trusted Introducer and number of teams which might not have official status but provide very good services in the field of security. But these DDoS attacks were not the only trigger that helped to build so many security teams. In my presentation I will introduce more projects and activities that we find very effective while building the trust and cooperation among the partners      

15:05               15:30

WWiewiorowski
OBLIGATION TO REPORT SECURITY INCIDENTS IN NEW LEGAL FRAMEWORK DATA PROTECTION IN THE EU – VIDEO PRESENTATION

Wojciech Rafał WIEWIÓROWSKI / European Data Protection Assistant Supervisor

15:30              15:45

TomaszChlebowskiMajPolish Army Cyber Volunteers – the official inauguration of the initiative
PolskaObywatelskaCyberobrona

Tomasz CHLEBOWSKI, Mirosław MAJ / Cybersecurity Foundation 

15:45               16:45

PANEL DISCUSSION – Polish Army Cyber Volunteers

PANELIST:
Andrzej ZybertowiczChief Adviser, National Security Bureau and the President of Poland
Maciej PyznarNational Security Bureau
Representative of the Ministry of National Defence
Mirosław Maj – Cybersecurity Fundation

16:45              

END OF THE CONFERENCE – PRIZE DRAW

WORKSHOP

                          SEPTEMBER 14TH, 2015, MONDAY

WORKSHOP 1 – CERT GAMES SEPTEMBER 14THCertGames

The exercises carried out by the Cyber Europe 2014 winning team:

The workshop will be conducted by the ComCERT.PL representatives:

KRYSTIAN KOCHANOWSKI
DAWID OSOJCA

CERT Games are key defense exercises for ICT infrastructure organisation.

  1. Exercise objective:

The aim of the exercise is to develop the proper habits and practice in handling incidents and defend against attacks targeting the IT infrastructure. In the exercise, the participants are confronted with an existing infrastructure, containing, inter alia, Web server, mail server, file server and DNS server. The participants will attempt to defend these resources using all possible defensive techniques. It will be required to present an ability to carry out the activities related to proper protection of the infrastructure entrusted to them, attack detection and rapid decision making related to the threat occurring. An additional advantage of the exercise will be a possibility of evaluation of the ability of those who are delegated to participate, in group-work and group problem-solving. The teams will evaluated throughout the duration of the exercise, in order to assess the undertaken actions’ effectiveness. The exercise ends with the team results’ presentation and an additional discussion panel aimed at discussion of the undertaken actions and the optimal strategy.

  1. The worksop is intended for:
  • ITT systems administrators
  • ITT security specialists
  1. The workshop includes:
  • detecting attacks targeting the infrastructure uder participants‘ protection
  • detection configuration and services‘ vulnerabilities
  • log and network traffic analysis
  • system hardening
  1. The requirements for the participants:
  • basic knowledge of Linux systems administration
  • knowledge of network protocols, and the ability to analyze network traffic
  • basic knowledge of IT security
  • ability to analyse the popular services’ logs
  1. It it expected from the participants:
  • to bring their own laptop with an ethernet card or WiFi
  • to have Open VPN, VNC client, ssh client and a web browser installed on their laptops.

Questions regarding the workshop can be sent to: scs-workshop-1@securitycasestudy.pl.