BSides Berlin

Doors open - Networking, coffee and light refreshments

Welcome Words

Opening Keynote Hannah Suarez

Trends in managing cloud-based risks - perspectives from different industries

What’s the difference between managing SaaS risks and vulnerabilities between a creative agency, a software company, a consultancy and a large telecommunications company? From corporate to startup, I share how these industries are managing risks, vulnerabilities and threats on the cloud (SaaS, SaaS, SaaS).

For example: On the risk management and compliance side, we have the new ISO 27001:2022 standards now include controls that are applicable to cloud services (in addition to existing standards such as ISO 27017, BSI C5 and SOC 2 Type 2...). On the data protection side, we are seeing more interest around compliance of technical and organizational security measures of highly protected data on SaaS, owned by companies in other jurisdictions. On the red team and penetration side, conducting pentests and providing reports of SaaS-based applications tests have become more complex for customers to understand, i.e to what extent the underlying infrastructure is in scope. And on the blue team side, cloud providers are providing options for confidential computing to further secure data for protected industries such as telco and health care.

This talk explores the many interesting facets and trends in cloud services based on my daily observations working across different industries with a focus on cloud-based security.

Bye Bye NTLM Evgenij Smirnov

NTLM is old and weak - no wonder given its 30+ years of service! To harden your environments, you're going to have to get rid of it, sooner rather than later. In this talk you will learn why this isn't a trivial task and how to achieve it without breaking too much along the way.

Coffee Break

Security in the Era of LLMs and GenAI Natalie Pistunovich

In this talk, we'll explore the security challenges that arise as Large Language Models and various Generative AI fields like text and visual media become increasingly popular and widespread. We'll go over some specific attack vectors, such as data poisoning and prompt injection, as well as mitigation strategies, including those recommended by OWASP for both LLMs and GenAI. Attendees will leave equipped with an overview of the current state of things as well as actionable guidelines for securing their AI-powered systems.

How I Learned to Stop Worrying and Build a Modern Detection & Response Program Allyn Stott

You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection and response program (and finally get some sleep).

Lunch Break

The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective Vangelis Stykas

C2 servers of malware are usually left to their own fate after they have been discovered and the malware is no longer effective. We are going to take a deep dive into the rabbit hole of attacking and owning C2 servers, exposing details about their infrastructure and the identity of their operators.

Mean blue team: Fighting phishing one exploit at a time Alberto del Rio

We had a phishing campaign coming from an organized crime group last year. Customers kept giving up details and losing money to them. With the negative of law enforcement, we had no way to deal with this until we started looking for vulnerabilities in the attackers code and try to get the data back.

Catching Moby-Dick: Phishing techniques for challenging environements Fabian Becker

With increasing corporate defenses against credential and malware phishing, we developed a toolbox of phishing techniques over the years to use in challenging scenarios. Drawing from years of red teaming experience, we share several techniques we use in phishing engagements against highly secured environments. Join us to hear about how we deal with MitM (monster-in-the-middle) detections on multi-factor logins, deeply technical phishing targets, locked down workstations and physical security keys.

Coffee Break

Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater Christian Werling, Niclas Kühnapfel, Hans Niklas Jacob

Tesla has been known for their advanced and well-integrated car computers, from serving mundane entertainment purposes to fully autonomous driving capabilities. More recently, Tesla has started using this well-established platform to enable in-car purchases, not only for additional connectivity features but even for analog features like faster acceleration or rear heated seats. As a result, hacking the embedded car computer could allow users to unlock these features without paying. In this talk, we will present an attack against newer AMD-based infotainment systems (MCU-Z) used on all recent models. It gives us two distinct capabilities: First, it enables the first unpatchable AMD-based "Tesla Jailbreak", allowing us to run arbitrary software on the infotainment. Second, it will enable us to extract an otherwise vehicle-unique hardware-bound RSA key used to authenticate and authorize a car in Tesla's internal service network. For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system. First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP's early boot code. We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution. Our gained root permissions enable arbitrary changes to Linux that survive reboots and updates. They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phonebook, calendar entries, etc. On the other hand, it can also benefit car usage in unsupported regions. Furthermore, the ASP attack opens up the possibility of extracting a TPM-protected attestation key Tesla uses to authenticate the car. This enables migrating a car's identity to another car computer without Tesla's help whatsoever, easing certain repairing efforts.

The attackers guide to exploiting secrets in the wild Mackenzie Jackson

Exposed secrets like API keys are vulnerabilities attackers regularly exploit. We will outline various methods used to discover and exploit these secrets, including, abusing git repos, exploiting misconfigurations, decompiling containers & reverse mobile applications to expose the secrets within.

Coffee Break

AI Package Hallucination – Spreading Malicious Packages Using Generative AI Bar Lanyado

Revolutionary research exposes new attack technique using ChatGPT! Discover how attackers could exploit its hallucination to spread malicious packages, posing a grave threat to developers and production systems.

Closing Keynote Mikko Hypponen

Malware and machine learning: a match made in hell

Defending against cyber attacks is a never-ending race. Next, we're likely to see fully automated malware campaigns, using machine learning or generative AI. We defenders have been able to automate much of our work, enabling excellent detection, analysis and reaction times. Next up, attackers will do the same. Once the attackers migrate to automated operations, it will be a game of a robot against a robot. And then we will see that the only thing that can stop a bad AI is a good AI.