Alexandre Borges - Malware & Security Researcher

Anchises Moraes - Analista de Inteligência e Ameaç, RSA Security

Branco & Mothe - Principal & Senior Security Researcher, Intel Corporation

Bratus & Torrey - Research Associate & Advising Research Engineer, Dartmouth College & Assured Information Security

Deivison Franco - Senior Security Analyst, Federal Bank of Amazon

Felipe Boeira - Security Ressearcher, Samsung Eletronics

Fernando Merces - Senior Threat Researcher, Trend Micro

Gabriel Negreira Barbosa - Security Software Engineer 2, Microsoft

Guasch & Choliz - Eletronic Voting Experts

Jonathan Brossard - Founder/Chief Executive Officer, Toucan Systems

Lenoir & Rigo - Security Research Engineer, Airbus Group Innovations

Marion Marschalek - Principal Malware Analyst, G-Data Advanced Analytics GmbH

Matrosov & Rodionov - Security Researchers, Intel Corporation and ESET

Maximiliano Soler - Security Analyst, An International Bank

Meredith L. Patterson - Software Engineer and Security Researcher, Nuance Communications

Nelson Brito - Security Researcher & Enthusiast

Patroklos (argp) Argyroudis - Security Consultant, Census S.A.

Rafael Silva rfds - Pentester, El Pescador

Ricardo L0gan - Independent Security Researcher

Rodrigo Sp0oker Montoro - Security Researcher, Clavis

Schmidt & Butterly - Pentester/Consultant, ERNW GmbH

Shay Gueron - Senior Principal Engineer & Professor, Intel Corporation & University of Haifa

Thiago Valverde - Security Engineer, Google

Zanero & Evenchick - Associate Professor & CEO, Politecnico di Milano & Linklayer Labs



  Malware Tricks & Anti Forensics methods
 Alexandre Borges
  Lecture 1: Malware tricks

Abstract: Malwares have used several tricks to infect systems and be invisible for defense programs and analysts. This talk is quick approach about few existing techniques used by malwares such as injection, hooking, hollowing, DKOM, and so on.

Lecture 2: Malware anti-forensic methods

Abstract: Doubtless, malwares have improved their protections and made the analyst’s life harder. Nowadays, there are several kinds of techniques, which make the dynamic and static analysis more difficult. This talk has a goal to show a summarized list of anti-forensic methods such as anti-vm, anti-debugging, anti-disassembly, and so on. Furthermore, it will be showed an quick introduction about packers, cryptos and other clever techniques used by malwares to become resilient against analysis.
  - Malware and Security Researcher
- Malware, Digital Forensic Analysis and Reversing instructor, consultant and speaker.
- Oracle Instructor
- EC-Council and ISC2 Instructor



  Internet's Fallen Heroes
 Anchises Moraes
  Nesta palestra vamos rever alguns dos mártires na luta por uma Internet livre da censura e a favor da liberdade de expressão e da privacidade dos indivíduos. Desde o seu início, a Internet coleciona diversas pessoas que sacrificaram suas liberdades individuais ou até mesmo suas vidas na tentativa de construir uma Internet livre para todos nós.
  Anchises Moraes, profissional work-aholic com mais de 15 anos de experiência na coordenação e implantação de projetos de Segurança da Informação em diversas empresas de médio e grande porte. Formado em Ciência da Computação pelo IME-USP e pós-graduado em Marketing pela ESPM, também foi presidente do Capítulo Brasil da ISSA de 2008 a 2009, é Presidente do capítulo brasileiro da Cloud Security Alliance (CSA) e é um dos fundadores do Garoa Hacker Clube, o primeiro Hackerspace brasileiro. É um dos organizadores do evento Security BSides São Paulo. Trabalha atualmente como Analista de Inteligência e Ameaças da RSA Security.



  DPTrace: Dual Purpose Trace for Exploitability Analysis of Program Crashes
 Branco & Mothe
  This research focuses on determining the practical exploitability of software issues by means of crash analysis. The target was not to automatically generate exploits, and not even to fully automate the entire process of crash analysis; but to provide a holistic feedback-oriented approach that augments a researcher's efforts in triaging the exploitability and impact of a program crash (or fault). The result is a semi-automated crash analysis framework that can speed-up the work of an exploit writer (analyst). Fuzzing, a powerful method for vulnerability discovery keeps getting more popular in all segments across the industry - from developers to bug hunters. With fuzzing frameworks becoming more sophisticated (and intelligent), the task of product security teams and exploit analysts to triage the constant influx of bug reports and associated crashes received from external researchers has increased dramatically. Exploit writers are also facing new challenges: with the advance of modern protection mechanisms, bug bounties and high-prices in vulnerabilities, their time to analyze a potential issue found and write a working exploits is shrinking.

Given the need to improve the existing tools and methodologies in the field of program crash analysis, our research speeds-up dealing with a vast corpus of crashes. We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. The idea here is to leverage both these approaches and to integrate them into one single framework that provides, at the moment of a crash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the potential capabilities for achieving code execution. We discuss the concepts and the implementation of two functional tools developed by the authors (one of which was previously released) and go about the benefits of integrating them. Finally, we demonstrate the use of the integrated tool (DPTrace to be released as open-source at Black Hat) with public vulnerabilities (zero-days at the time of the released in the past), including a few that the authors themselves discovered, analyzed/exploited and reported.
  Rodrigo Rubira Branco (BSDaemon) works as Principal Security Researcher at Intel Corporation in the Security Center of Excellence where he leads the Client Core Team. He is the Founder of the Dissect || PE Malware Analysis Project. Held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as H2HC, Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, Troopers and many others.

Rohit Mothe worked for iDefense labs, VeriSign as a vulnerability researcher and has many years of experience working with vulnerability hunting and exploit writing. Currently, he is part of the Intel Security Center of Excellence, directly contributing in finding vulnerabilities in the Manageability Engine for Client Platforms.



  LangSec: From Theory to Practice
 Bratus & Torrey
  To be useful, software must process inputs. The format of these inputs is usually decribed is a standards document---so your programmers just need to implement the standard's requirements correctly, and your software will be safe from malicious crafted messages or documents, right? Wrong. Time and time again standards have not helped avoid misreadings and misinterpretations, so that individual implementations had both fuzzable and exploitable bugs. Moreover, different implementations of the same standard such as ASN.1 or X.509 have been know to disagree to the extent of their differences being exploitable.

Are programmers always to blame for these bugs, or is something wrong with the standards themselves? Our theoretical analysis shows that it's often the standards' fault. These standards actually set up programmers for inevitable failure---unless countered by a robust SDLC, which we will cover in case studies of implementing popular and complex ICS/SCADA protocols such as DNP3.

Following the theory-based call-to-action, the talk will transition to methods to enhance organizations' SDLC with LangSec-supported practices. Actionable techniques, tools, and methods will be provided to integrate LangSec findings into the software your organizations develop to reduce the defect rate and improve security. Also highlighted will be major development organizations that have developed coding best-practices that are well-aligned with LangSec, thus showing the empirical benefits to these changes to the SDLC.
  Sergey Bratus is a Research Associate Professor of Computer Science at Dartmouth College. His research interests include designing new operating system and hardware-based features to support more expressive and developer-friendly debugging, secure programming and reverse engineering; Linux kernel security (kernel exploits, LKM rootkits, and hardening patches); data organization and other AI techniques for better log and traffic analysis; and various kinds of wired and wireless network hacking. Before coming to Dartmouth, he worked on statistical learning methods for natural text processing and information extraction at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University. @sergeybratus

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. In addition to his research, Jacob volunteers his time organizing conferences in Denver (RMISC & BSidesDenver) and regular meet-ups across the front range. @JacobTorrey



  The Computer Forensics Process for Cybercrime Investigation: Methodologies, Techniques and Tools
 Deivison Franco
  english version follows
Resumo: Vive-se a era digital, na qual o computador, a internet e muitos outros recursos tecnológicos fazem parte, cada vez mais, do cotidiano das pessoas, trazendo consigo inúmeros benefícios. Entretanto, com o advento de tantas vantagens vem também a possibilidade da realização de novas práticas ilícitas e criminosas, já que todo esse aparato tecnológico facilita a vida de todos, mas inevitavelmente acaba por se tornar um novo meio para a prática de delitos. Tal fato decorre da facilidade do anonimato quando se está na frente de um computador, aliada a técnicas para omitir as evidências digitais que possam comprovar um crime e ligá-las a seu(s) autor(es). Desta forma, com o crescente número de crimes virtuais, surgiu a necessidade de se estabelecer processos e metodologias destinados a investigá-los. Sendo assim, a proposta desta palestra é abordar o processo da Perícia Forense Computacional para a investigação de crimes cibernéticos, mostrando sua metodologia, técnicas e ferramentas para tal, a fim de se mostrar quando, como e onde atua o perito forense computacional.

Abstract: We live in the digital age, in which the computer, the Internet and many other technological resources are part, increasingly, everyday people, bringing numerous benefits. However, with the advent of so many benefits also comes the possibility of carrying out new illicit and criminal practices, since all this technological apparatus makes life easier for everyone, but inevitably ends up becoming a new means to commit irregularities. This is due to the ease of anonymity when you are in front of a computer, combined with techniques to omit the digital evidence that can prove a crime and link them to their(s) author(s). Thus, with the growing number of cyber crime, came the need of establishing processes and methodologies to investigate it. Therefore, the purpose of this lecture is to treat the Computer Forensics process for investigating cybercrimes, showing its methodology, techniques and tools to do so, in order to show when, how and where it operates the computer forensics expert.
  english version follows
Mini Bio: Mestre em Ciência da Computação (pesquisa em Criptografia Aplicada) e em Administração de Empresas (pesquisa em Segurança de Informações para Inovação Tecnológica). Especialista em Ciências Forenses (ênfase em Computação Forense), Segurança em Redes de Computadores e em Redes de Computadores. Graduado em Processamento de Dados. Analista Sênior de Segurança da Informação do Banco Federal da Amazônia. Professor Universitário. Perito Forense Computacional Judicial e Extrajudicial. Pesquisador e Consultor em Computação Forense e Segurança de Informações. Auditor de TI e Penetration Tester. Membro do IEEE Information Forensics and Security Technical Committee. Membro da Sociedade Brasileira de Ciências Forenses. C|EH, C|HFI, DSFE e ISO 27002 Advanced.

Mini Bio: Master's Degree in Computer Science (research in Applied Cryptography) and in Business Administration (research in Information Security for Technological Innovation). Specialist in Forensic Sciences (Computer Forensics emphasis), Computer Networks Security and Computer Networks. Graduated in Data Processing. Senior Security Analyst at Federal Bank of Amazon. University Professor. Computer Forensics Expert. Computer Forensics and Information Security Researcher and Consultant. IT Auditor and Penetration Tester. Member of the IEEE Information Forensics and Security Technical Committee. Member of the Brazilian Society of Forensic Sciences. C|EH, C|HFI, DSFE and ISO 27002 Advanced.



  Android Resiliency Defense Strategy
 Felipe Boeira
  The Android mobile operating system has the largest market share on smartphones, which makes it a target for attackers seeking personal information leakage, industrial espionage, profit and fun. Kernel vulnerabilities are largely exploited in this context in order to achieve privilege escalation and perform unauthorized actions. By analyzing the exploitation modus operandi and the mobile operating system characteristics, Defex (Defeat Exploitation) has been designed to provide a set of security controls that act as an adaptive immune system to learn the smartphone behavior and proactively respond to exploitation. Defex can currently detect vertical and horizontal privilege escalation, learn and enforce systemcall policies, learn and enforce command signatures on execve, perform runtime binary integrity verification, among other security controls. The objective is to enhance the smartphone resiliency with multiple layers of protection that can assist one another.
  Felipe is a security researcher at Samsung Electronics experienced in mobile security, cyberfraud and penetration testing. Felipe is currently involved in Research & Development of novel security resiliency mechanisms for Android, Linux Kernel and IoT.



  Protecting Linux against ring3 rootkits
 Fernando Merces
  There are millions of Linux servers explosed to the Internet. Even though rootkits are created to be stealth, there are some useful techniques that can help administrator to detect their presence. Jynx, Azazel and Umbreon are just a few examples of ring3/userland rootkits that are easily detectable with the techniques presented in this presentation, where I'll show the analysis of Umbreon, a multi-architecture rootkit I recently dissected, with a special focus on detection and prevention.
  ndo is a Senior Threat Researcher at Trend Micro Forward-Looking Threat Research Team. He's mainly focused on investigating criminal activities, underground research and malware analysis. As an open source evangelist, he is the creator of many open source security tools [], like 'pev', a PE analysis toolkit containing command-line tools to deeply inspect binaries. He also works on APT investigations worldwide and enjoys preparing traps to attract criminals.



  A interseccao entre seguranca e virtualizacao: uma visao holistica
 Gabriel Negreira Barbosa
  Essa palestra irá discutir virtualização sob a ótica da segurança, de forma a mostrar coisas que podem dar errado e também alguns modos de utilizar essa tecnologia para melhorar a segurança de sistemas. Para isso, alguns conceitos de virtualização e arquitetura serão discutidos, juntamente com importantes superfícies e cenários de ataque. Finalmente, exemplos de tecnologias utilizando a virtualização para aprimoramento da segurança serão apresentados. Depois da palestra, espera-se que os participantes tenham uma melhor entendimento sobre virtualização, riscos associados e algumas formas como tal tecnologia pode ser utilizada para melhorar a segurança dos seus sistemas.
  Gabriel Negreira Barbosa trabalha como engenheiro de segurança de software 2 na Microsoft. Anteriormente, trabalhou como pesquisador de segurança sênior na Intel e como pesquisador de segurança líder na Qualys. Recebeu o título de bacharel em ciência da computação pela PUC-SP; e de mestre pelo ITA, onde também atuou em projetos de segurança para o governo brasileiro e a Microsoft Brasil. Já apresentou trabalhos em diversas conferências, como H2HC, Troopers, Black Hat USA, BSides (Portland e DFW), SACICON, dentre outras.



  Voting Among Sharks
 Guasch & Choliz
  Internet Voting is coming, more and more countries are starting to use it: Canada, Mexico, France, Australia, Switzerland, etc. Worldwide security experts distrust on its security, and it concerns to the citizens. However, there are a lot of security controls based on advanced cryptography that are applied to this area. The goal of this talk is to show the security mechanisms that are implemented worldwide on Internet Voting. If it is coming, let's establish the grounds for its security.
  Jesús Chóliz has more than 15 years of experience in IT Security. He started to research on the security of Internet Voting on 2010. He is currently the Director of Security on a software company specialized on Internet Voting, and is responsible of the security of elections worldwide. Previously to their work on Internet Voting, he has been a Security manager performing security audits and advisory projects to the top organizations in Spain. His experience in the eDemocracy is related to Internet Voting, Results Consolidation, and Public consultations, in several Europe countries, USA, Canada, Latam region, and Asia Pacific. He has some publications of papers and posters on NIST workshops and academic conferences, and has presented at the Hack in Paris 2016 conference.

Dr. Sandra Guasch is a Researcher specialized in Cryptography applied to Electronic Voting since 2009. She has participated actively in electronic voting projects in Europe, United States and Asia Pacific. Her main focus areas include analysis at a mathematical and implementation level of public key cryptographic algorithms, design and evaluation of security protocols for electronic voting systems and participation in risk analysis of electronic voting solutions. She obtained her PhD with a Thesis about verifiability methods applied to eVoting. She has presented her work in different electronic voting conferences (Estonia, Austria, Luxembourg and Switzerland), also in general Cryptography events like the Real World Crypto conference on New York, Financial Crypto 2016 in Barbados, and Hack in Paris 2016.



  Witchcraft Compiler Collection : towards self aware computer programs
 Jonathan Brossard
  With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code 'reuse' by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.

The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses).
  Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled 'incurable and undetectable'.

This year was his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.



  Lost your secure HDD PIN? We can help!
 Lenoir & Rigo
  USB HDD enclosures with encryption and pinpads are convenient and (supposedly) secure. In this paper we present our analysis of several mod- els, analysing both the design and implementation. We show that most of them have serious design flaws, some are totally broken and one even has a backdoor. After taking a step back and reflecting on the ecosystem, we propose a better design.
  We both work for Airbus Group Innovations (previously known as EADS Innovation Works)., in the "cyber security" lab.

Raphaël is a security research engineer, specialized in reverse engineering.
His previous publications include :
* Black Hat Europe 2015 : A peek under the Blue Coat.
* Ruxcon 2015 : A peek under the Blue Coat.
* 2015 : Attacking hardware for software reversers: Analysis of an encrypted HDD.
* SSTIC 2015 : Analysis of an encrypted HDD (Hardware RE for software reversers), with Joffrey Czarny.
* SyScan 2015 : The challenges in designing a secure hard drive.
* SSTIC 2012 : Sécurité de RDP, with Aurélien Bordes and Arnaud Ebalard.
* DeepSec 2010 : Android: forensics and reverse engineering.

Julien is a security research engineer, mainly doing audits of security products and reverse engineering.
His previous publications are :
* SSTIC 2016 : Gunpack
* HITB Singapore 2015 : implementing your own generic unpacker



  Rogue Behavior Detection: Tackling binaries while they are on the ground
 Marion Marschalek
  Every other binary I put into a disassembler makes me think oh wait.. I have seen this before. Then, one day, I started thinking oh wait.. can I put the 'seen this before' into use somehow? How would that be, if I could just click a button and would be told that the stack of bytes in front of me seeks to gain persistence, contact a remote server and wishes to log my keystrokes? This, in fact, is knowledge an analyst can gather very quickly when disassembling a given binary, automatic evaluation though is a big challenge - for static as well as dynamic analysis techniques.

This talk will present a survey of static behavior detection, where it will be shown how much information about the intentions of a binary can be gained solely from its implementation. This research relies on radare2 in order to extract appropriate features from Windows binaries. The main focus will be targeted malware, as most of it comes only lightly packed or not at all. Within the either called or dynamically loaded APIs one can see potential behavior patterns, certain string patterns reveal evil intentions, sometimes implementation techniques tell about the author's trail of thought.

Questions will be tackled, such as does the binary come packed or maybe just partially obfuscated? Does it try to hide something? Does it expose hints of explicit functionality, like, can it perform process injection or install a keylogger? Does the structure of the binary give an idea of its intentions, was it designed to communicate to a driver or maybe is a part of a bigger application?

The benefits and limitations of this approach will be discussed and a case study is presented to show how static behavior detection can aid existing analysis techniques.
  Marion is a Principal Malware Analyst at G Data Advanced Analytics GmbH. Marschalek also worked as Malware Analyst and Threat Researcher at Cyphort. Also she teaches basics of malware analysis at University of Applied Sciences St. Pölten and writes articles for security magazines. She has spoken at international conferences such as Defcon Las Vegas, RSA San Francisco and POC Seoul. In March last year she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. - See more at:



  UEFI Firmware Rootkits: Myths and Reality
 Matrosov & Rodionov
  UEFI firmware security has become a very hot topic just recently. The number of publications appearing over the last few years disclosing and discussing vulnerabilities in UEFI firmware adds up to an extensive list. These vulnerabilities allow an attacker to compromise a system at one of the most privileged levels and gain complete control over the victim's system. In this presentation the authors will take a look at these state-of-the-art attacks against UEFI firmware from a practical point of view and analyze the applicability of attacks disclosed in this way to real life scenarios, examining whether these vulnerabilities can be easily used in real-world rootkits for targeted attacks. As an example of such an attack we consider the following scenario: an attacker gets admin/system privileges on a victim’s system and executes a System Management Mode (SMM) exploit from normal kernel-mode in order to escalate privileges from Ring 0 to Ring -2 (SMM): this allows him in some cases to modify the contents of the BIOS Flash storage (DXE drivers, S3 Boot Script and so on) and to install a persistent rootkit.

In the first part of the presentation the authors will delve into different types of UEFI firmware vulnerabilities to summarize and systematize known attacks. We consider whether a vulnerability s specific to a particular firmware vendor or is exploitable on a wide range of systems and configurations, whether an attacker needs physical access to a victim’s system or is able to exploit the vulnerability remotely, and so on. Such a classification is useful because it helps us to understand the likelihood and potential impact of such an attack. From this perspective the authors will determine which attacks can be easily employed by rootkits in “real-world” targeted attacks and which of them are unlikely to make it beyond the Proof of Concept (PoC) stage of research.

In the second part of the presentation the authors will look at defensive technologies and how one can reduce the severity of some attacks targeting UEFI firmware. Primarily, they will focus on contemporary mitigation tools implemented on modern Intel-based platforms - Boot Guard and BIOS Flash Write Protection. The Boot Guard - hardware-based integrity protection technology that provided attempts to protect the system before Secure Boot starts. In the context of BIOS Flash Write Protection the authors will consider methods based on the BIOS Write Enable bit (BIOSWE), the BIOS Lock Enable bit (BLE), SMM based write protection (SMM_BWP) and on SPI Protected Ranges (PRx) registers – one of the latest firmware security technologies. Most recent technology BIOS Guard delivered since Intel Skylake CPU release. The BIOS Guard - technology for platform armoring protect from firmware flash storage malicious modifications. Even if attacker have access for modifying flash memory BIOS Guard can prevent execution of malicious code and protect flash memory from malicious modifications. All these mechanisms will be analyzed by authors from the point of view of counteracting existing UEFI firmware vulnerabilities and attacks.
  Alex has more than a decade of experience focused on reverse engineering advanced malware, firmware security and modern exploitation techniques. Currently he holds the position of Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where leading BIOS security for Client Platforms. Prior to this role, he spent over six years at Intel Advanced Threat Research team and ESET where he was the Senior Security Researcher. He is co-author of the numerous research papers include the book “Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats”. Alex is frequently invited to speak at practical security conferences, such as REcon, Ekoparty, H2HC, Zeronigths, BlackHat and DEFCON. Also he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed since 2013 by REhint’s team.

Eugene Rodionov graduated with honours from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009 and successfully defended his PhD thesis in 2012. He has been working over the past six years at ESET, where he is involved into internal research projects and also performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies and reverse engineering. Eugene has spoken at security conferences such as Black Hat, REcon, Virus Bulletin, Zeronights, CARO and AVAR, and has co-authored numerous research papers.



  HTTP2 Overview: A journey by RFC
 Maximiliano Soler
  Abstract: In this journey by RFC 7540 we will talk about the principles of HTTP/2, how it works, benefits, improvements, difference between HTTP/1.1, HTTP frames, streams, multiplexing. New security considerations and potential attacks to this binary protocol.


01- Introduction
02- HTTP/2 Protocol Overview
03- Starting HTTP/2
04- HTTP Frames
05- Frame Definitions
06- Streams and Multiplexing
07- Error Codes
08- HTTP Message Exchanges
09- Additional HTTP Requirements/Considerations
10- Security Considerations
  Maximiliano Soler lives in Buenos Aires, Argentina. He currently works as Security Analyst for an International Bank with a focus in Penetration Testing and Web Application Security. He publishes content at ToolsWatch, about open source tools and awesome weapons.



  Functional Programming Without a Functional Language
 Meredith L. Patterson
  Functional languages have given rise to many powerful idioms, like parser combinators and iteratees, for managing the flow of data. What's a developer stuck with a procedural language to do? Never fear a sufficiently stubborn programmer can implement functional idioms in any language. In this talk, we'll explore the internals of Hammer, an experimental parser combinator library, which targets context-sensitive, context-free, and regular parsing backends and is written in C. We'll also look at nom, which combines Hammer's approach with Rust's macro system to produce blindingly fast parsers. Finally, we'll talk about the security benefits of functional input handling with a real-world case study drawn from the world of industrial control systems.
  Meredith L. Patterson is a software engineer and security researcher living in Brussels, Belgium. She co-chairs the IEEE Workshop on Language-Theoretic Security, having started the field in 2005. She holds a B.A. and an M.A. in linguistics and currently works for Nuance Communications.



  Information Security Community
 Nelson Brito
  Uma visão divertida, porém crítica, sobre a comunidade da segurança da informação brasileira, discutindo-se: o ontem, o hoje e o amanhã. Não há controvérsias ou polêmicas, há visões diferentes e muito debate, porém é preciso estar atento ao que acontece com o momento atual, buscando, de uma forma descontraída, entender as tendências e deixarmos de lado o “complexo de vira-latas” e a “fogueira de vaidades” — que por muitas vezes assolam os membros da comunidade brasileira. Mantenha em mente que pessoas não são polêmicas, os temas são…
  Nelson Brito, the T50 Creator, is just another Security Researcher & Enthusiast, addicted to playing with computer and network (in)security. He is a regular and sought-after speaker at conferences in Brazil — IME, CNASI, CONIP, SERPRO, ITA, H2HC, CIAB Workshop, BSidesSP, Silver Bullet, BHAck, YSTS — and, also, he is the only Brazilian to speak at PH-Neutral (Berlin, Germany — 2011). Nelson is probably best known by industry experts, professionals, enthusiast and academic audiences for his independent researching work — “Permutation Oriented Programming”, “SQL Fingerprint™ NG”, “T50: An Experimental Mixed Packet Injector”, “Inception: Reverse Engineering Hands-on”. A special mention for the T50, which has been used by several companies, in order to validate their infrastructure, as well as has been incorporated by several Linux Distros (ArchAssault, BackTrack, BlackArch, Kali), due to its innovation and its sequential multi-protocol injection capability.



  Keynote Reflections on vulnerability research; is the only winning move not to play?
 Patroklos (argp) Argyroudis
  Witness argp trying to reflect on his vulnerability research work, navigating among random thoughts on the modern IT security landscape, bug bounties, 0day fetishisation, commercialization, CONs, community, and hacker spirit. I promise there will be no analogies (silly or smart), and perhaps no clear conclusion. But you will get plenty of "scene" memes and in-jokes (no guarantees that they will be funny though). Isn't that what a keynote is about really?
  Patroklos Argyroudis (argp) is a computer security researcher at CENSUS S.A., a company that builds on strong research foundations to offer specialized IT security services to customers worldwide. His main expertise is vulnerability research, exploit development, reverse engineering and source code auditing. Patroklos has presented his research at several international security conferences (Black Hat USA, Black Hat EU, Infiltrate, PH-Neutral, ZeroNights, etc.) on topics such as kernel and heap exploitation, kernel protection technologies, and network security protocols. He holds a PhD in Computer Science from Trinity College Dublin, where he has also worked as a postdoctoral researcher on applied cryptography; designing, implementing, and attacking network security protocols.



  Enviando phishing como arte
 Rafael Silva rfds
  Enviando phishing como arte. Phishing e uma técnica para obter informações sensíveis através de emails e / ou páginas falsas. Nessa Palestra demonstrarei como criar campanhas direcionadas para ataques de phishing usando técnicas como IMG Buster,DNS Pharm,TimeStamp Mail,Cisco Phishing,Unsub Flood. Além de explorar a parte psicologica do click.
  Trabalha com Segurança da Informação Offensiva (Pentest, Análise de Aplicações Web / Mobile, Malware, Phishing). Foi consultor de Segurança e Inteligência na Força Aérea Brasileira (FAB) e professor de cursos de Pós Graduação em Segurança da Informação. Com 13 anos de experiência na área, recentemente vem fazendo pesquisas sobre phishing criando a primeira plataforma para envio de Phishing Educativo do Brasil, El Pescador. Palestrou em eventos como: Infiltrate Conference, HITB Amsterdam, Mind The Sec, Confidence @ Krakow, Alligator Conference, CryptoRave @ SP.



  R3MF: R3v3rs1ng on MachO File
 Ricardo L0gan
  Part of this presentation is based on research published in 2015, which was demonstrated the increasing spread of malware binaries mach-o and how to analyze the type of these binary. In this presentation, we will explain with more detail the structure of Binary using debbugers tools and reverse engineering techniques.The knowledge gained will be useful from analysis of malware as also for challenges type crackmes on CTFs.
  Security Specialist with over 15 years of experience, enthusiastic in malware research, pentest and reverse engineering. I’ve a solid knowledge on topics like network security, hardening and tuning across multiple platforms such as Windows, Linux, OS X and Cisco. Beginner in programming languages as Python, C and Assembly. In Brazil I contribute to the Slackware community (Slackshow and Slackzine) and I’m member of the Staff of some events: H2HC, SlackShow and Bsides SP.



  EventID Field Hunter: Looking for malicious activities in your Windows events
 Rodrigo Sp0oker Montoro
  There are thousands of possible Windows event IDs, split into 9 categories and 50+ subcategories. The Windows Event Logs provide a historical record of a wide range of actions; such as login/logoff, process creation, files/keys modifications, and packet filtering. These logs provide investigators with a wealth of information that can be analyzed in many different ways.

Looking into millions of EventID’s in our daily work we figured out another way to point for malicious activities; by splitting analysis in each field of an EventID alert we have proven that you can create a deep analysis of the event itself. By correlating these alerts with your network and business requirements, you can make detection more accurate and generate less “noise”; thereby helping your staff to prioritize which events to handle first. As Proof of Concept (PoC) we analyzed and scored 3 events that we mapped as key point for malicious activities:

4663 - An attempt was made to access an object (File/Registry)
4688 - A new process has been created
5156 - The Windows Filtering Platform has allowed a connection

In this talk we will discuss how we analyzed and scored each field from those events, ideas for implementation, projects and results based in our deployment, and illustrating how you could use eventid as a more powerful detection vector to identify specific user behaviors and activity patterns.
  Rodrigo "Sp0oKeR" Montoro has 15 years experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently he is Security Researcher / SOC at Clavis. Before it he worked as Senior Security administrator at Sucuri , Spiderlabs Researcher where he focuses on IDS/IPS Signatures, Modsecurity rules, and new detection researches. Author of 2 patented technologies involving discovery of malicious digital documents and analyzing malicious HTTP traffic. He is currently coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at a number of open source and security conferences (OWASP AppSec, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada)), CNASI, SOURCE Boston & Seatle, ZonCon (Amazon Internal Conference), BSides (Las Vegas e São Paulo), Blackhat Brazil) and serves as a coordinator for the creation of new Snort rules, specifically for Brazilian malware.



  Dumpster Driving 16: LTE4G Basestations
 Schmidt & Butterly
  While dumpster driving used to be a crucial aspect of learning and preparations for hacks, the modern approach is buying stuff from eBay! While it's common idea to buy routers, switches, phones, laptops or hard disks, we decided to take it to the next level by buying a complete 4G/LTE base station.

A few years back we started giving a series of talks on the theoretical security of LTE/4G networks titled "LTE vs. Darwin". As announced back then, we wanted to extend our research into looking into practical implementations and get our hands dirty. As a basis we luckily found an eNodeB which we bought, setup and analyzed in detail. This talk will give an overview of our complete lab setup and how we got the eNodeB up and running. Also it will give detailed insight in what we found that the previous owner had obviously left behind. Afterwards we would also love to present circumventions for the security measures we found. As such we will give you a complete walk through from first contact to total ownage of this 4G/LTE base station.
  Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.



  Keynote Is your memory protected? Attacks on encrypted memory and constructions for memory protection
 Shay Gueron
  An attacker who has physical access to a computing platform, and the means to read and modify the memory contents, can be a serious security threat. The ability to passively read memory compromises secrets that reside thereon, and the ability to actively modify memory can be used for circumventing the platform's policy/security mechanisms.

Known examples for such attacks are the cold boot attacks and the DMA attacks, which can extract sensitive data from the RAM. In response to such attacks, several main-memory encryption schemes have been proposed. Also, hardware vendors have acknowledged the threat and have already announced hardware based memory encryption solutions.

Encrypting the RAM will protect the user's content against passive eavesdropping, but is this also a dependable protection mechanism in practice, against an active adversary who can modify memory contents?

As I will discuss in the talk, the answer to this is, unfortunately, negative.
  Shay Gueron is an Associated Professor at the Department of Mathematics at the University of Haifa in Israel. In addition, he is also an Intel Senior Principal Engineer, serving as the Chief Core Cryptography Architect of the CPU Architecture Group. In this role, he is responsible for some of the latest CPU instructions that speed up cryptographic algorithms, such as the AES-NI and the carry-less multiplier instruction, the coming VPMADD52 instruction for public key operations, and for various micro architectural enhancements in the Intel Cores.

Shay's interests include applied cryptography, applied security, and applied algorithms. He has contribute software patches to open source libraries, such as OpenSSL and NSS; offering significant performance gains to encryption, authenticated encryption, public key algorithms, and hashing. He is one of the architects of the new Intel® Software Guard Extensions (SGX) security technology, in charge of the cryptographic definition and implementation of SGX. He is the inventor of the Memory Encryption Engine that is part of the latest Intel processor, micro-architecture codename Skylake processor. Together with Professor Lindell and Adam Langley of Google, Shay is a co-author of the AES-GCM-SIV nonce misuse resistant authenticated encryption, submitted to the IETF / CFRG.



  Breaking the bank: practical Android reverse engineering
 Thiago Valverde
  Many banks offer TOTP code generators in their mobile apps as a second factor of authentication. Using open-source tools, I will walk you through the process of reverse-engineering a Brazilian bank's Android app, understanding how it works, defeating obfuscation techniques, and cloning your own code generator onto a new device. Meanwhile, you will get an interesting glimpse of how these apps are developed, some of the very bad decisions made in the process, and you will probably start thinking twice before using mobile banking apps in public networks.
  Thiago Valverde graduated from Unicamp in Computer Engineering, and has been working on security since, in Brazil (at UOL Host and Glio) and in the US (at Microsoft and Google). Currently, he's part of the Vulnerability Reward Program and does security reviews and crypto development at Google.



  Risk based secure design of automotive networks
 Zanero & Evenchick
  Automotive security has gained a lot of attention in terms of hacking, but little has been done until now to promote safe security engineering design practices. In this talk we will outline a methodology to derive security requirements for automotive network architectures from a sound threat assessment methodology, in compliance with SAE standard J3061 and subsequent recommendations. We will begin by introducing the audience to how cars are computers on wheels. Then, we will walk through several high-profile "stunt hacking" incidents of the past few years that have wakened the attention of the general public and the OEMs to the problem of cybersecurity. We believe that this research, while interesting, fell short of stimulating actions by the OEMs because in order to act there needs to be a clear business case of risk reduction, and a clear way to spend money and engineering time in fixing issues.

For this reason, we have developed an automotive-tailored threat assessment methodology which allows derivation of security requirements for automotive networks (in terms of architecture and in terms of specifications for the components). We will describe the taxonomy of threats and risks that our methodology takes into account, then we will show how we map them onto attack trees. The key point of the methodology is how these attack trees can be linked with the layout of the network and produce specifications and security requirements that can be given to suppliers or testers. Finally, we will review how the methodology fits with the process outlined by SAE standard J3061 and subsequent recommendations.
  Eric is the CEO and founder of Linklayer, a consulting company working on automotive security. While studying electrical engineering at the University of Waterloo, he worked with the University of Waterloo Alternative Fuels Team to design and build a hydrogen electric vehicle for the EcoCAR Advanced Vehicle Technology Competition. Eric has also worked on automotive firmware at Tesla Motors, worked on building vehicle systems at Faraday Future, and is a contributor for

Stefano received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor. His research focuses on malware analysis, cyberphysical security, and systems security. He has an extensive speaking and training experience in Italy and abroad. He coauthored over 60 scientific papers and books. He is a Senior Member of the IEEE, the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading penetration testing firm based in Milan and in London, and a co-founder of BankSealer, a startup in the FinTech sector.