Time left until #BSidesBUD2020

Tickets

  • BSidesBUD Pass for Individuals
    12 500 HUF

    This ticket type is valid only for individuals. The invoices will be issued just for them, companies cannot purchase this type of ticket.

     

  • BSidesBUD Pass for Companies
    25 000 HUF

    By purchasing this type, you will receive a VAT invoice for your ticket in your company’s name and address after we have received the payment.

     

  • BSidesBUD VIP Pass
    55 000 HUF

    By buying the BSidesBUD VIP pass you are supporting the conference and you will be able to enjoy the VIP catering during BSidesBUD2020 along with the speakers and staff members.

News

Schedule

  • BUDA Conference Hall
    08:00 - 09:00
    Registration
    09:00 - 09:05
    Attila Marosi-Bauer - Opening Ceremony
    09:05 - 09:45
    Paul Coggin - SS7 for INFOSEC
    SS7 is to the PSTN what BGP is for the Internet. In this presentation Paul will explain the fundamentals of the SS7 protocol and telecommunications architecture. An overview of how SS7 is utilized by large enterprises, mobile networks and service providers will be discussed. Security issues with the SS7 protocol will be covered with real world examples of how a service provider network may be targeted to gain access to the SS7 network.
    09:50 - 10:10
    Philipp Krenn - Security Tradeoffs in Elasticsearch
    The NoSQL ecosystem thrived on combining scalability and simplicity. This talk focuses on some assumptions we built Elasticsearch on, which helped the ease of use initially, but turned out to be less than perfect for security in the long run: * Binding to all interfaces and broadcasting join requests to the whole subnet makes clustering simple. * Running as root is the straightforward option. * Using a general purpose programming language for scripting adds lots of features. * Guessing the content-type of a request is fine. * Default passwords and clear-text password files are a reasonable tradeoff.
    10:15 - 10:55
    Swaroop Yermalkar - Modern iOS App Pentesting and Security
    This talk will discuss recent case studies of critical findings in mobile apps and also help to adopt the skills required to perform penetration testing/security audits of modern iOS applications. We will discuss tools, techniques to perform security assessments of modern iOS Apps! This talk will explain both attack and defense approaches for iOS Apps.
    10:55 - 11:15
    Coffee break (20 mins)
    11:15 - 11:55
    Alexander Polyakov - AI Security Challenges in 2020
    AI is steadily flooding our world sipping into various verticals from Autonomous cars, Robots to Defense, Media and Smart homes. Hundreds of new startups are implementing Ai solutions worldwide and we are getting closer to the point where machine learning-based solutions will eat traditional algorithms. While we more and less understand how to deal with software vulnerabilities we have no clue what’s happening in ML-based solutions and how it's possible to hack them except probably adversarial examples which recently attracted media attention after 5 years from the initial invention. But this area is rapidly growing and we are getting to the point when there will be over 2000 research papers presented on this topic and some of them will hit media only in 5 years or so. In this presentation I will show what is happening in AI security industry, the most closed cybersecurity area. We will discuss the most critical AI applications such as face recognition, self-driving cars, voice assistants and their latest attacks. Then we will discuss ML algorithms such as classification, regression, reinforcement learning, clustering, etc… and how to attack them. An finally we will look at the particular attack methods such as adversarial, privacy, poisoning, backdoor, reprogramming, and how they evolving.
    12:00 - 12:40
    Csaba Fitzl - Exploiting Directory Permissions on macOS
    In this talk I will talk about how can we exploit applications on macOS (including macOS), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings it’s not trivial at first sight because understanding these permissions are not intuitive. We see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only.
    12:40 - 13:25
    Lunch break (45 mins)
    13:25 - 14:05
    TBA
    14:10 - 14:30
    Devlin Duldulao - Introduction to PASETO (Platform-Agnostic Security Tokens)
    JSON Web Tokens (JWTs) have become ubiquitous in the web authentication landscape over the last four years. In this talk, I'll introduce you to their successor: PASETO tokens (platform agnostic security tokens).
    14:35 - 15:25
    Tomi Tokics - A Jump Back to 2016: iOS Jailbreaking
    In this talk I will introduce iOS jailbreaking, and I will do that by exploiting two real world vulnerabilities back from 2016. These bugs were used by the famous Pegasus spyware The two bugs are: CVE 2016-4655 & CVE 2016-4656
    15:25 - 15:40
    Break (15 mins)
    15:40 - 16:20
    Ali Abdollahi - New Era of Telecom Hacking
    This talk focus on the implementation of new security hardening in mobile networks as well as detecting techniques and bypassing methods. The scope of the illustration include both radio and signalling core network.
    16:25 - 17:05
    Anastasios Pingios - A Gentle Introduction to Build a Threat Intelligence Team
    The talk is focusing on people that are not sure on how to start their journey to the world of threat intelligence. By the end of this talk we would have gone through the process, common pitfalls, and a road to success for an intelligence-driven security function. More importantly, the talk will give you the answer to whether or not an intelligence team is something that is worth pursuing for your organization at this point in time and if not, then when it is the right time for you to expand to this area.
    17:10 - 17:15
    Attila Marosi-Bauer - Closing Notes
  • PEST Conference Hall
    09:05 - 09:45
    Filipi Pires - Dissecting and Comparing Different Binaries to Malware Analysis
    Demonstrate different kind of structures in the binaries as a PE (header and your sessions), ELF (header and your sessions), PDF(header/ body/cross-reference table/trailer), explaining how each session works within a binary and where it would be possible to “include” a malicious code.
    09:50 - 10:10
    László Erdődi - Hacking Arena: an Innovative Learning Platform for Ethical Hackers & Hacker Robots
    The Hacking Arena project is an advanced offensive security-learning platform that has been established to support the ethical hacking education at the University of Oslo. As it has now become an open platform, the number of users from around the world is continuously increasing. The arena provides numerous hacking challenges of various topics such as e.g. web hacking or binary exploitation from beginner to professional level. As machine learning develops, some types of cyber attacks are getting more and more autonomous and also the complexity of the attacks in general is increasing nowadays. The main research aim of the arena regarding machine learning is to prepare for such future attacks by studying and analyzing different possibilities to make attacks automatic. The idea behind the machine learning approach is to process the human attacker’s (users) data continuously to train the robot hackers. The presentation will introduce the Hacking Arena, with live demos of challenges and their solutions and the principals of the robot hacker training part will be discussed as well.
    10:15 - 10:55
    Zénó Amtmann - The Art of CISO
    While corporations historically tended to outsource their IT operations, companies were reorganized and established to fulfill this demand by creating shared service centers, centralized and specialized teams focusing on specific segments of the computing environment, the amount of individuals who retained the ability to appropriately oversight a corporations' information systems environment had significantly dropped. As the business relied more and more on the IT infrastructure and this foundation was targeted by cyber criminals at an increasing rate, C-level executives had to realize that financial threats no longer occur only as a result of a financial mis-statement or fraud, it can be the result of an ineffectively or inadequately managed IT infrastructure. In addition, governmental and regulatory scrutiny mandated and mandates these corporations to ensure that the outsourced service provider(s) is(are) acting based on the corporation's best interest and that the corporation has control over the activities that they had outsourced. Consequently, the companies are facing these requirements at times when the amount of individuals who have an accurate knowledge of the topology and the infrastructure of the company is very limited. That is why the role of a CI(S)O is an art - to understand the big picture, and to communicate the risks and needs of the company to all stakeholders at their level.
    10:55 - 11:15
    Break (10 mins)
    11:15 - 11:55
    Tamás Kocsis & László Kőszegi - "Elmentem Én a Vásárba Schneider Fánival" - Avagy a Hazai ICS/OT Biztonság Testközelből (HUN)
    TBD later
    12:00 - 12:40
    Philipp Krenn - Seccomp - Your Next Layer of Defense
    Why should you allow all possible system calls from your application when you know that you only need some? If you have ever wondered the same then this is the right talk for you. We are covering: * What is seccomp in a nutshell and where could you use it. * Practical example with Elasticsearch and Beats. * How to collect seccomp violations with Auditd. Because your security approach can always use an additional layer of protection.
    12:40 - 13:25
    Lunch break (45 mins)
    13:25 - 14:05
    Saurabh Chaudhary - YARA Rules on Steroids
    Whenever we want to proactively hunt for malware of interest for threat intelligence purposes, YARA is the swiss-army knife that makes the work of malware researchers and threat intelligence Researchers easier. Malware developers work just like legitimate software developers, aiming to reduce the time wasted on repetitive tasks wherever possible. That means they create and reuse code across their malware. This has a pay-off for malware hunters we can learn how to create search rules to detect this kind of code reuse, Traditional Yara rules are written on strings, but if we implement code leveraging YARA code reuse rules in addition with the strings rule the rule will last decades. for successful and long-term hits, we have to combine both string-based and code-based coverage. The key to efficient YARA rules depends on simple and clear rulesets utilizing both.
    14:10 - 14:30
    István Németh - 0day/APT Defense Strategies at Perimeter
    Regardless of the size of the network, perimeter defense strategies are critical nowadays. In this deep technical presentations I'll focus on different attack vectors and defense strategies against those different vectors. After the short presentation, I'll focus on hands-on demonstration, where I'll detonate few "file-based" attack targeting the infrastructure different ways.
    14:35 - 15:25
    Albert Zsigovits - Hunting for Malware: Dissecting DarkRATv2 Through OSINT
    In the summer of 2019, a new malware family started to appear in the wild, identifying itself as the new version of the old DarkRAT. In a short period of time, the developer of DarkRATv2 made a significant number of improvements and updates to his creation. In this talk, I would like to give you a demonstration how mistakes can lead to more discoveries, how to leverage OSINT means and techniques to learn more about the malware: and ultimately picking this specimen apart from a RE point of view. I am planning to give you an end-to-end approach on malware hunting, specifically on how to gather everything about a certain malware family. In the end, we’ll learn more about how script kiddies and up-and-coming security researchers make a quick buck by copying entire functions from other malware families.
    15:25 - 15:40
    Break (15 mins)
    15:40 - 16:20
    Mutaz Alsallal - Threat Hunting in Kubernetes
    While organizations are utilizing containers and microservices architecture, the threat landscape has been evolved. Security Operation Centres needs to extend their detection and prevention capabilities to hunt for the threats in such an environment. The talk will go deeply into this new landscape, and to detect the related security threats at multiple layers, at the container, underlying host OS, and the whole kubernetes cluster.
    16:25 - 17:05
    Márk Modly - A Nem Unalmas XML Támadások - Elfelejtett Módszerek (HUN)
    Az elmúlt években egyre gyakoribb, hogy XML-lel kapcsolatos problémák felszínre kerülnek. Ez annak (is) köszönhető nagy részben hogy az aktuális OWASP TOP 10 listáján megjelent az XXE (XML eXternal Entity) attack. Ez üdvözölendő, azonban az XML világában nem csupán az external entity-k jelentenek problémát, látni fogjuk, hogy más támadási felület is akad. Sajnos legtöbb esetben amikor valaki egy XML sérülékenységet talál, akkor a legkisebb dologgal meg is elégszik, annak ellenére, hogy rengeteg hasznos információt lehetne a sérülékeny rendszerből a szokásos adatokon kívül megszerezni. Beszélni fogunk nem csupán az elterjedt XML támadási technikákról, de egy kicsit újra felfedezzük a spanyol viaszt és remélhetőleg beépítünk repertoárunkba olyan technikákat melyek rég elfeledettnek tűnnek, azonban a rendszerek nagyon is sérülékenyek velük kapcsolatban.
  • Workshop Room
    09:00 - 11:00
    Guillaume Lopes - Android Mobile Hacking
    The workshop is the Android (very) short version of a 3-days training dedicated to learn the basics to be able to assess the security of mobile applications (Android and iOS). Guillaume Lopes (@Guillaume_Lopes) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious a 100% hands-on Android workshop. Goals: – Understanding common mobile vulnerabilities – Understanding Android basics – Understanding of the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard) – Know how to build an Android pentest toolset
    11:00 - 11:10
    Break (10 mins)
    11:10 - 13:10
    Romansh Yadav - Integrating Mobile Security in Your Android Development Project Without Impact
    Android Apps are the most preferred way of delivering attacks today. Understanding the finer details of Android App attacks is soon becoming an essential skill for the app developers, penetration testers. With live demos using intentionally crafted and developed real-world secure and Vulnerable both android app by the author, we shall look into the some of the common ways as to Integrating mobile security in your android development project without impact also bypass the security mechanisms or misuse the given permissions. This workshop mainly focuses on the security and development aspects of world’s most leading mobile operating system's app- android.
    13:10 - 13:20
    Break (10 mins)
    13:20 - 15:20
    József Ottucsák - DevSecOps: Security Automation in the CI/CD Pipeline
    The workshop introduces participants to the concept of continuous security testing and showcases a few of the most common FOSS tools for security analysis in the CI/CD pipeline. At the end of the workshop participants will be familiar with static code analysis, dynamic analysis, software component analysis, 3rd party license analysis and infrastructure testing for Python, node.js and iOS/Android platforms. During the workshop participants will work on a virtual machine that has tools and test projects pre-installed. The level of the workshop is beginner friendly although basic familiarity with modern development tech stacks (containers, cloud) and ability to read code/json is expected. Notebook with VT-X or AMD-V enabled CPU, 8 GB RAM, GNU/Linux: VMware Player, Windows: VirtualBox, macOS: VirtualBox, 40 GB disk space.
    15:20 - 15:30
    Break (10 mins)
    15:30 - 17:30
    Davy Douhine - iOS Mobile Hacking
    The workshop is the iOS (very) short version of a 3-days training dedicated to learn the basics to be able to assess the security of mobile applications (Android and iOS). Davy Douhine (@ddouhine) will share many techniques, tips and tricks to deliver to pentesters, bug bounty researchers, app makers or just curious a 100% hands-on iOS workshop. Goals: – Understanding common mobile vulnerabilities – Understanding iOS basics – Understanding of the OWASP MSTG (Mobile Security Testing Guide) and the MASVS (Mobile Application Security Verification Standard) – Know how to build an iOS pentest toolset

What is BSides?

Security BSides is the first grass roots, DIY, open security conference in the world!  It is a great combination of two event styles: structured anchor events and grass-roots geocentric events.

“ It is no failure to fall short of realizing all that we might dream.

The failure is to fall short of dreaming all that we might realize. ”

Dee Hock, Chairman Emeritus, Visa International

‘Security BSides is a community-driven framework for building events for and by participants in the information security community. It creates opportunities for individuals to present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction by participants. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. This is where conversations for the next-big-thing happen. The open platform gives community participants a rare opportunity to directly share ideas, insights, and develop longstanding trusted relationships with others in the community.’ Security BSides

#BSidesBUD2020 is looking for sponsors!

Support BSidesBUD 2020 if…

… you want to earn brand recognition and raise awareness …

… you want to stay in touch with the ITSEC industry …

… you want to stay abreast on the next big thing …

… you want to meet IT students/possible employees …

… you want to build relationships in an international atmosphere …

Click the button below to download our sponsorship package:

Hackademy Programme

The BSidesBUD Crew finds it important to support the cyber security profession and community in Hungary that is why we are offering #BSidesBUD2020 tickets to talented students and their teachers of domestic higher education institutions. The net worth of the offered tickets is more than 0.5 million HUF.

Tickets can be accessed through the HACKADEMY Scholarship Program created by the BSidesBUD Crew.

The Partner Program delivers a total of 50 tickets to the partners in the following breakdown:

  • 30 student tickets (with valid student ID)
  • 20 personal tickets for the teachers

The HACKADEMY Scholarship Program can be joined by any Hungarian higher education institution with IT specialization. For more information, please contact us at [email protected]

What participants said about BSides?

You should come if…

… you’re a student who’s interested in IT security…

… you’re  student who wants to work in the field of IT security…

… you’re an IT professional who wants to build relationships with similar experts…

… you want to meet/talk/exchange experience with people who has similar interests…

… you are interested in the latest trends of IT security…

… you want to experience the international atmosphere of BSidesBUD…

Location

  • Address
  • Lurdy Konferencia- és
    Rendezvényközpont

    1097 Budapest,
    Könyves Kálmán krt. 12-14.
  • Email
  • [email protected]