Bryan Fite - Senior Cyber Physical Innovation program manager, British Telecom

Butterly & Schmidt - Security Researcher, ERNW

Diego Aranha - Professor, Universidade Estadual de Campinas (UNICAMP)

Flavio Shiga - Gerente de Serviço, IBLISS

Gabriel Barbosa - Senior Security Researcher, Intel

Goll & Kinast - Gerentes de Produto, Digitro

Ilfak Guilfanov - Founder, Hex-Rays

Jan Seidl - Senior SCADA/ICS Security Consultant, BPC Plus

Matias Katz - Penetration Tester, Mkit Argentina

Nelson Brito - Researcher & Enthusiast

Nikita Tarakanov - Independent Security Researcher

Otavio Cunha - Engenheiro Eletronico

PaX Team - PaX Project

Sergey Bratus - Research Associate Professor, Dartmouth College

Sergey Shekyan - Principal Engineer, Shape Security

Stefano Zanero - PhD, Commitee member, H2HC and Black Hat

Vladimir Wolstencroft - Security consultant and Researcher, Aura Information Security

Yurii Khvyl - Senior Malware Analyst, eCrime Unit CSIS Security Group



  Simulating Cyber Operations
 Bryan Fite
  “Do you want to play a game?”It’s not polite to hack your neighbor but how else can a national-CSIRT and critical enterprises train and assess cyber warriors? Simulations and games are an effective approach. However, there are many cyber security games, competitions and training platforms. They vary widely in effectiveness, assessment capabilities and flexibility. In addition, most are closed and proprietary in nature. What is needed is a publicly adopted cyber operations simulation standard to support training, assessment and tool & technique development across platforms. I will share an innovative way to describe Cyber Operations Simulation elements by abstracting the primitives and describing their interaction via a Scenarios Definition Language. I will describe the methodology & approach, fundamental object types and teach attendees how to run their own simulations.
  Bryan K. Fite: A committed security practitioner and entrepreneur, Bryan is currently a Senior Cyber Physical Innovation program manager at BT. Having spent over 25 years in mission-critical environments, Bryan is uniquely qualified to advise organizations on what works and what doesn’t. Bryan has worked with organizations in every major vertical throughout the world and has established himself as a trusted advisor. “The challenges facing organizations today require a business reasonable approach to managing risk, trust and limited resources while protecting what matters.”



  Physical Access and Lame Hardware
 Butterly & Schmidt
  Sitting in front of a device for the first time is just as good as finding a treasure chest: Although you never know what's inside, you're sure that it'll be shiny and highly valuable. Physical devices always contain very different assets, or things the vendor wants to protect and you want to have. Where a treasure chest has it's lock, an embedded device such as a thin client, a car, a fridge or even a mobile operator's cellmast has a large variety of different screws, pins and ports. Some of which are just there for the vendor or a technician, in case of a fault - for debbuging, programming and configuration. To our luck, many vendors overestimate the security of screws, missing pin headers, warning labels and the phrase "nobody will ever try to do that". Over the past few years, we have tried quite a few different things ourselves and have followed many many attacks that were published: Fact is many vendors leave behind interfaces that are obviously found and enable deep going access to the attacked device. It sometimes seems that nobody ever thought about possible attacks against the devices.

Our talk will give an overview on approaches we have used and are still using when evaluating devices and will show a set of physical access protection No-Gos. Above that classical physical protection solutions will be presented, both with their up and downsides.
  Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.



  Contornando Criptografia
 Diego Aranha
  Atacantes racionais não atacam criptografia diretamente, buscando sempre contorná-la. Há inúmeros pontos em que técnicas criptográficas falham na prática, desde a geração/distribuição insegura de chaves criptográficas e escolha inadequada de algoritmos/parâmetros, até o vazamento de informação crítica por canais laterais. Nessa palestra, serão discutidas formas de se explorar algumas dessas vulnerabilidades, ilustradas com casos reais do Brasil e do mundo.
  Diego Aranha é Professor Doutor na Universidade Estadual de Campinas (Unicamp) desde 2014. Coordenou a primeira equipe de investigadores independentes capaz de detectar e explorar vulnerabilidades no software da urna eletrônica em testes controlados organizados pelo Tribunal Superior Eleitoral. Tem experiência na área de Criptografia e Segurança Computacional, com ênfase em implementação eficiente de algoritmos criptográficos e projeto de primitivas criptográficas para fornecimento de anonimato computacional.



  API para transações financeiras, podemos confiar?
 Flavio Shiga
  Atualmente é muito comum empresas que comercializam produtos pela internet, terceirizarem o serviço de pagamento para evitar investimentos no desenvolvimento destas funcionalidades, assim como questões de conformidade e demais responsabilidade pelos pagamentos, como o chargeback.

Nesta palestra também vou demonstrar como podem acontecer os ataques neste tipo de cenário e qual pode ser o impacto caso o mesmo seja explorado em larga escala.
  Flávio K. Shiga atua na área de Segurança da Informação e Tecnologia da Informação há mais de 11 anos, já atuou em diversos segmentos como Airline, Bancos, Energia, Governo, Hospitais, Varejo, Telecomunicações, entre outros. Onde atualmente é gerente de serviços na IBLISS, apoiando as empresas na redução dos riscos e impacto nos negócios.



  Distributing the Reconstruction of High level Intermediate Representation for Large Scale Malware Analysis
 Gabriel Barbosa
  Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception. Analysts and companies use different degrees of automation to be able to handle the challenge, but there is always a gap. Reverse engineering is an even harder task due to the increased amount of work and the stricter time-frame to accomplish it. This has a direct impact on the investigative process and thus makes prevention of future threats more challenging.

In this work, the authors discuss distributed reverse engineering techniques, using intermediate representation (thanks Hex-Rays team for support us in this research) in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families.

A higher level abstraction of the malware code is constructed from the abstract syntax tree (ctree) provided by Hex-Rays Decompiler. That abstraction facilitates the extraction of characteristics such as domain generation algorithms (DGA), custom encryption and specific parsers for configuration data. In order to reduce the number of false positives in some C++ metadata identification, such as virtual function tables and RTTI, the authors created the object-oriented artifacts directly from the analyzed malware.

The extracted characteristics of 2 million malware samples are analyzed and the presented results provide a rich dataset to improve malware analysis efforts and threat intelligence initiatives. With that dataset, other researchers will be able to extract a ctree from new samples and compare to the millions we performed.

As an additional contribution, the gathered representation together with all the raw information from the samples will be available to other researchers after the presentation; together with additional ideas for future development. The developed Hex-Rays Decompiler plugin and analysis/automation tools used to extract the characteristics will also be made available to the audience on Github.
  Gabriel Negreira Barbosa works as a Senior Security Researcher at Intel. Previous to that, he worked as a security researcher of the Qualys Vulnerability & Malware Research Labs (VMRL). He received the Msc title by Instituto Tecnol_gico de Aeronutica (ITA), where he also worked in security projects for the Brazilian government and Microsoft Brazil.



  O Direito a Privacidade Face a Realidade
 Goll & Kinast
  Considerando-se a célebre frase de Terêncio “Nada do que é humano me é estranho.”, não é surpreendente o fato do ser humano, ao migrar as suas atividades para o ambiente virtual, levar consigo suas próprias condutas e convicções. Assim, pode-se reconhecer que a evolução da tecnologia impulsionou alguns tipos de crimes antes restritos somente ao “mundo real” .

A apresentação abordará os fundamentos necessários ao equilíbrio exigido entre as questões éticas e os aspectos tecnológicos associados à quebra de sigilo, bem como questões que devem ser consideradas para evitar os nossos próprios abusos.

O tema nos leva a enfrentar algumas questões:
• Por que violar a privacidade de outros?
• Até onde vai a privacidade daqueles sobre os quais recaem fortes suspeitas de crimes contra a sociedade?
• A satisfação pessoal justifica a invasão da privacidade de outros?
  Andreia S. G. da Silva e Joao A. P. Kinast são gerentes de produtos na Dígitro com vasta experiência em quebra de sigilo. Ao longo dos anos, com a evolução tecnológica, eles se concentraram em pesquisas sobre como criar, no Brasil, um framework padrão, respeitando as questões éticas que devem ser requisitos fundamentais em qualquer solução deste porte.



  Keynote: The history behind IDA
 Ilfak Guilfanov
  This talk will cover the experiences and learnings behind the creation of the most famous disassembler, the IDA Pro.
  Ilfak Guilfanov is a software developer, computer security researcher and blogger. He became well known when he issued a free hotfix for the Windows Metafile vulnerability on 31 December 2005. His unofficial patch was favorably reviewed and widely publicized because no official patch was initially available from Microsoft. Microsoft released an official patch on 5 January 2006.

Guilfanov was born in a small village in the Tatarstan Region of Russia in a Tatar family. He graduated from Moscow State University in 1987 with a Bachelor of Science in Mathematics. He lives in Liège, Belgium and works for Hex-Rays. He is the systems architect and main developer for IDA Pro, which is Hex-Rays' commercial version of the Interactive Disassembler Guilfanov created. A freeware version of this reverse engineering tool is also available.



  PhysICS – Using physics simulation engine to demonstrate impacts on industrial control systems attacks
 Jan Seidl
  Sometimes its difficult to demonstrate the impacts and/or how effective are controls because simple PLC simulators have no logic nor process attached to them. In the same way, plant owners (understandably) won't let researchers run tests on their live plants.

In order to have a clearer picture, VirtuaPlant was created using game and physics engine in order to simulate the whole ICS process, from the industrial protocol to the HMI and finally the actual process hardware like conveyor belts, valves, solenoids, sensors etc.

Currently with a simple Bottle-filling process simulation, the project aims to include different process scenarios like Nuclear Reactors, Oil Refining process, turbines for power generation and the most used protocols like S7, OPC, DNP3 and such.

It's important to have a zero-real-world impact platform for education on that subject, which is also useful on bringing awareness to clients which are skeptic or lack the background knowledge to really understand the risk that he's exposed.

Along with the simulated plants, VirtuaPlant also ships with some pre-built attack scripts that will impact the process in different systems so the knowledge barrier to use the tool is diminished and enabling the knowledge for starters who desires to join the ICS security field.
  A passionate technology-driven IT professional with more than 10 years of experience in the area, from which 7 years fully dedicated to ICS/SCADA security. I have run and participated in many Critical Infrastructure Protection projects in the biggest multinational and government companies from different industries sectors including: power generation and distribution; chemical plants; oil & gas; factories; mining and steel factories; automated buildings.

Extensive experience in solutions from top-notch vendors such as IBM, SIEMENS, Waterfall, Codenomicon, Tofino, Ruggedcom, DICA, Blue Coat, Checkpoint, Palo Alto Networks, Trend Micro, Modicon/Schneider Electric, Honeywell, ABB and others.



  3 APIs + 1000 lines of code = Super pretty OSINT
 Matias Katz
  OSINT is a fashion, everybody is talking about it. But how difficult is it to accomplish, really? After asking ourselves that question, we planned our own super deep-analysis OSINT scraping tool, to prove that it's all smoke and mirrors. And we did it, in only a week and with less than 1000 lines of code.

In this talk I will present you 3 simple engines:
- Twitter public stream API: Allows you to read the public Twitter timeline in realtime, and perform specific filters regardless of mentions or hashtags.
- Google geocoding API: Allows you to draw live Google Maps and generate personalized drop points on it at the location you specify, with any kind of information you want on it.
- Python NLTK (Natural Language Toolkit): Performs text interpretation and syntactic analysis on provided strings, against specific expressions and phrasings. It also has the capability of learning from its history, in order to show better results.

The end result: A simple tool that shows live tweets about a string specified by us, points them on a live Google map at the city where the tweet was posted, and shows you whether the tweet has a negative, positive or neutral connotation. All that in less than 7 seconds after the tweet was posted by the original user.
  Matias Katz is a Penetration Tester who specializes in Web security analysis. He loves to build simple tools to perform discovery and exploitation on any software or network. He has spoken at BlackHat, H2HC, Ekoparty, Campus party, OWASP and many important conferences. He is the founder and CEO of Mkit Argentina (, a company that specializes in computer, physical and human security solutions. He is also the founder of Andsec conference (



  A Next Generation DB Scanner
 Nelson Brito
  For many years, fingerprinting has been one of the most powerful approach in any vulnerability assessment and penetration test, since it is the very first step of any footprint stage. This talk will present a next step - i.e., next generation buzzword mode on - of such technique, explaining in details a new and innovative technology for a non-intrusive, non-harmful and non-disruptive fingerprint scanner for Microsoft SQL Servers... Not only version fingerprinting will be discussed, but also a vulnerability scanner with the lowest false-positive and false-negative ever, with no database credential and/or authentication. Some comparisons will be demonstrated - some really cool live demos showing the current weakness on some public available tools.
  Nelson Brito - the T50 Creator - is just another Security Researcher & Enthusiast, addicted to playing with computer and network (in)security. He is a regular and sought-after speaker at conferences in Brazil - IME, CNASI, CONIP, SERPRO, ITA, H2HC, CIAB Workshop, BSidesSP, Silver Bullet, YSTS - and, also, I am the only Brazilian to speak at PH-Neutral. He is probably best known by industry experts, professionals, enthusiast and academic audiences for my independent researching work - "Permutation Oriented Programming", "SQL Fingerprint NG", "T50: An Experimental Mixed Packet Injector", "Inception: Reverse Engineering Hands-on". A special mention for the T50, which has been used by several companies, in order to validate their infrastructure, as well as has been incorporated by several Linux Distros (ArchAssault, BackTrack, BlackArch, Kali).



  Direct X – direct way to Microsoft Windows kernel
 Nikita Tarakanov
  Graphics technologies expose a large number of APIs in kernel mode drivers that need to be accessible by ring 3 code. Whether you are creating a resource for a video game or a video player you will end up using one of the low level functions that the Windows Display Driver Model provides for interaction with kernel driver. Graphics operations are intensive, complex and accessible as unprivileged user. This research focuses on how to find vulnerabilities in low level, common ring 3 to ring 0 interactions as defined by WDDM and exposed through GDI user mode library. On this presentation we will show you fuzzing statistics, methodologies, and vulnerabilities found on Intel, NVIDIA and ATI drivers.
  I am an independent information security researcher. I have worked as an IS researcher in Positive Technologies, Vupen Security, CISS. I like writing exploits, especially for Windows NT Kernel. I won the PHDays Hack2Own contest in 2011 and 2012. I tried to hack Google Chrome during Pwnium 2 but failed. I have published a few papers about kernel mode drivers and their exploitation. I am currently, engaged in reverse engineering research and vulnerability search automation.



  Keynote: Estrategia de Cybersecurity
 Otavio Cunha
  Abstract: Em função da evolução das questões relacionadas com a Segurança cibernética em todo o mundo, como os países estão se preparando para tratar com as ameaças cibernéticas cada vez mais eficientes e eficazes? A apresentação irá trazer uma visão holística do problema para um público que, em última análise, está mais preocupado com a questão do "como fazer" e menos do que pode acontecer em termos globais.
  Engenheiro Eletrônico trabalhando em segurança da informação e comunicações desde a publicação do livro do James Bamford, The Puzzle Palace em 1982 o que me levou a não ficar nem um pouco impressionado com as denúncias do Snowden em 2013(?). Por que? Simples, faz parte do "jogo" :-).

Após essas décadas de trabalho espero poder compartilhar algumas questões técnicas com a turma presente na H2HC com o objetivo de trocar experiências na área cibernética. O pessoal competente e que tem o gás necessário para atuar nesse "universo especial" é o público ideal para entender o "jogo" e o que será capaz de ditar as regras dos novos "jogos" que estão sendo estabelecidos entre as nações.



  Inside PaX Latest News
 PaX Team
  PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. The least-privilege approach allows computer programs to do only what they have to do in order to be able to execute properly, and nothing more. PaX was first released in 2000.

PaX flags data memory as non-executable, program memory as non-writable and randomly arranges the program memory. This effectively prevents many security exploits, such as some kinds of buffer overflows. The former prevents direct code execution absolutely, while the latter makes so-called return-to-libc (ret2libc) attacks difficult to exploit, relying on luck to succeed, but doesn't prevent overwriting variables and pointers.

The PaX Project keeps innovating in providing a holistic security approach. This talk will cover the excitting new features released in the project since the last talk at H2HC.
  Main developer of the PaX Project



  Polyglot protocols for digital radio: a beginning
 Sergey Bratus
  Is it a PDF document, a ZIP archive, or a bootable disk image? As we know, a file can be all of the above, and a picture of cat at the same time: a polyglot, exploiting the looseness and richness of certain ditigal formats. But surely radio protocols don't allow themselves to be treated that way? In fact, they do, via tricks with symbol encoding and modulation schemes.

It turns out that it's possible to design PHY-layer digital radio signals that appear to be different, valid signals to different standard receivers, and are in fact fully compatible with respective standards. Eavesdropping on these signals with commodity equipment would show nothing out of the ordinary, while a a second, hidden message is being transmitted by the same signal, creating a protocol-in-protocol, or a digital radio matryoshka doll. We will show (and play) such signals using the popular ham radio protocol PSK31 as an example, and discuss other protocols.

This fine technical lecture by two neighborly gentlemen describes techniques for designing polyglot modulation protocols, as well as concrete examples of such protocols that are fit for use in international shortwave radio communication.
  Travis Goodspeed is a Southern Appalachian neighbor with a bit of an obsession for the MSP430 microcontroller. Sergey Bratus is a North Appalachian neighbor and a Research Assistant Professor at Dartmouth College. Together, they accidentally broke the OSI Model with Packet-in-Packet, a PHY-layer exploit for remote frame injection portable to most digital radios, and continue to work on demystifying PHY for neighbors far and wide.



  CSP for everyone, fast and easy
 Sergey Shekyan
  CSP (Content Security Policy) is a W3C candidate recommendation for a policy language that can be used to declare content restrictions for web resources. It prevents exploitation of cross site scripting (XSS) and other related vulnerabilities and is understood by all major browsers. Although CSP is widely supported, the adoption rate is diminutive. In our talk, we will explain reasons for the low adoption and how to best utilize CSP at your organization. We will explore challenges of creating and deploying a policy, how reporting might be abused, and deviations between the specification and implementations. You will also learn about tooling to help create and verify the efficacy of your policy.
  Sergey Shekyan is a Principal Engineer at Shape Security, where he focuses on the development of a new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on-demand web application vulnerability scanning service. Sergey has presented research at many conferences, covering various information security topics.



  Making sense of a million samples per day
 Stefano Zanero
  With the astonishing rate of new and modified malware samples being released daily, automation of analysis is needed to classify and cluster together similar samples, exclude basic and uninteresting variations, and focus costly manual analysis work on novel and interesting features (e.g., added or remove pieces of code with a given semantic). We will discuss the challenges in analyzing large malware datasets in a (semi)automatic fashion, and some recent research results that may help with the task, by leveraging the concept of "behavior" applied to malicious code.
  Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor. His research focuses on intrusion detection, malware analysis, and systems security. Besides teaching "Computer Security" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 40 scientific papers and books. He is an associate editor for the "Journal in computer virology". He's a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is the current chair of the Italy chapter), of the ACM and of ISSA (Information System Security Association). He currently sits in the International Board of Directors of the ISSA. Stefano has co-founded two startups, and is an active entrepreneur and business angel. He is also part of the committee for both H2HC and Black Hat conferences.



  Bug Hunting for the man on the street
 Vladimir Wolstencroft
  Finding and discovering bugs has to be one of the most special times in a security researchers life (until you realise that crash you've been searching for and finally found is not actually exploitable). But the process of searching, discovery, understanding and of course some very much needed trial and error, many would say are a rewarding and fulfilling themselves (I would of course, prefer to have my exploit cherry on the top)!

So this talk will detail some of the aspects required to hunt down and find these coveted security vulnerabilities and bugs and some approaches that have proven to be invaluable (and some not so much).

Of course bug hunting principle need to produce bugs so as the cherry there will also be quite a number of vulnerabilities discovered in a security vendor's products as well as vulnerabilities in virtualisation software that were found using the application of simple methodologies!
  Vladimir is a security consultant and researcher with Aura Information Security in New Zealand. Transitioning from a five career in development specialising in web and mobile applications and games, Vladimir joined Aura to pursue his passion in security.

Vladimir has previously presented security talks at Troopers, NZITF and ISACA NZ on a range of subjects from mobile security to conducting research within a legal and lawful (mostly) framework. With a wide experience in consulting and training (mostly teaching developers secure coding and design practises, but sometimes making them cry) Vladimir enjoys all aspects of the security field and even more so, the sharing good stories with you.



  Offensive Investigation of Banking Malware Incidents
 Yurii Khvyl
  Banking malware is responsible for more than $100m in losses for financial institutions and their clients. This number grows every year, therefore so does the need for security researchers to find new effective methods that help them preventing such losses. One could greatly aid an investigation and protect from future malware attacks by exploiting vulnerabilities that can be found in malware code, its logic or control infrastructures.

Presentation Agenda:
∙ Overview of old and modern banking malware that is used by particular criminal groups as well as mistakes that they often make.
∙ Traditional ways of protection from banking malware: what can financial institutions and security researchers do.
∙ Offensive approach: attacking the malware to prevent financial losses.
∙ A look at publicly disclosed vulnerabilities that were found in recent banking malware.
∙ POC: a demo of general offensive protection techniques.
  Yurii Khvyl, Senior Malware Analyst at eCrime Unit CSIS Security Group.

Obtain master degree at NTUU “KPI” as System Analyst at 2005.
Working as independent security expert, investigating zero-day exploits and APT attacks.
- From 2011 , working as Senior Malware Analyst at CSIS Security Group A/S. Participate as speaker at different security conferences with in-deep research/investigation of banking malware.
Member of Honeynet Project and DeepEndResearch Team.