BSides Berlin

Welcome Words

Opening Keynote Marie Gutbub

We partied like it was 1984. 10 years after Snowden: The good, the bad and all the things we're still waiting for.

In 2013, NSA whistleblower Edward Snowden dropped a bomb: Together with journalists, he leaked and published a large number of classified documents that showed the world the extent of US surveillance capabilities. Many people were confronted for the first time with the idea that if we continue to use technology in general, and the internet in particular, as we have been doing, privacy is dead. As is often the case with such revelations, the leak was followed by a period of intense activity around privacy and security. People mobilized, bottom-up privacy movements emerged, we campaigned, protested, questioned our governments and taught each other how to evade surveillance. Some donated money and time to support those who made our communications more secure, foundations funded privacy initiatives. We made songs about privacy, movies about surveillance, put CryptoParty stickers on every laptop and bathroom door we came across, and spread tons of memes. Every movement eventually loses momentum. Crisis follows crisis, personal and societal focus shifts. As incredible as it sounds, it's been ten years. What did we ask for in 2013, what were our hopes and beliefs? Where have we succeeded, where have we failed and how have our expectations changed?

Bye Bye NTLM Evgenij Smirnov

NTLM is old and weak - no wonder given its 30+ years of service! To harden your environments, you're going to have to get rid of it, sooner rather than later. In this talk you will learn why this isn't a trivial task and how to achieve it without breaking too much along the way.

Coffee Break

Supply Chain Attacks: Focused on NPM attacks Danish Tariq & Hassan Khan Yusufzai

Supply chain attacks are spreading like no other disease. This talk would be focused on the account takeover vulnerability of NPM packages of JS and prevention techniques and our scripts. - Includes research of scanning over 2.1 million packages for account takeover vulnerability (non-intrusive).

How I Learned to Stop Worrying and Build a Modern Detection & Response Program Allyn Stott

You haven’t slept in days. Pager alerts at all hours. Constant firefights. How do you get out of this mess? This talk gives away all the secrets you’ll need to go from reactive chaos to building and running a finely tuned detection and response program (and finally get some sleep).

Lunch Break

The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective Vangelis Stykas

C2 servers of malware are usually left to their own fate after they have been discovered and the malware is no longer effective. We are going to take a deep dive into the rabbit hole of attacking and owning C2 servers, exposing details about their infrastructure and the identity of their operators.

Mean blue team: Fighting phishing one exploit at a time Alberto del Rio

We had a phishing campaign coming from an organized crime group last year. Customers kept giving up details and losing money to them. With the negative of law enforcement, we had no way to deal with this until we started looking for vulnerabilities in the attackers code and try to get the data back.

Jailbreaking an Electric Vehicle in 2023 or What It Means to Hotwire Tesla's x86-Based Seat Heater Christian Werling, Niclas Kühnapfel, Hans Niklas Jacob

Tesla has been known for their advanced and well-integrated car computers, from serving mundane entertainment purposes to fully autonomous driving capabilities. More recently, Tesla has started using this well-established platform to enable in-car purchases, not only for additional connectivity features but even for analog features like faster acceleration or rear heated seats. As a result, hacking the embedded car computer could allow users to unlock these features without paying. In this talk, we will present an attack against newer AMD-based infotainment systems (MCU-Z) used on all recent models. It gives us two distinct capabilities: First, it enables the first unpatchable AMD-based "Tesla Jailbreak", allowing us to run arbitrary software on the infotainment. Second, it will enable us to extract an otherwise vehicle-unique hardware-bound RSA key used to authenticate and authorize a car in Tesla's internal service network. For this, we are using a known voltage fault injection attack against the AMD Secure Processor (ASP), serving as the root of trust for the system. First, we present how we used low-cost, off-the-self hardware to mount the glitching attack to subvert the ASP's early boot code. We then show how we reverse-engineered the boot flow to gain a root shell on their recovery and production Linux distribution. Our gained root permissions enable arbitrary changes to Linux that survive reboots and updates. They allow an attacker to decrypt the encrypted NVMe storage and access private user data such as the phonebook, calendar entries, etc. On the other hand, it can also benefit car usage in unsupported regions. Furthermore, the ASP attack opens up the possibility of extracting a TPM-protected attestation key Tesla uses to authenticate the car. This enables migrating a car's identity to another car computer without Tesla's help whatsoever, easing certain repairing efforts.

Coffee Break

Catching Moby-Dick: Phishing techniques for challenging environements Fabian Becker

With increasing corporate defenses against credential and malware phishing, we developed a toolbox of phishing techniques over the years to use in challenging scenarios. Drawing from years of red teaming experience, we share several techniques we use in phishing engagements against highly secured environments. Join us to hear about how we deal with MitM (monster-in-the-middle) detections on multi-factor logins, deeply technical phishing targets, locked down workstations and physical security keys.

The attackers guide to exploiting secrets in the wild Mackenzie Jackson

Exposed secrets like API keys are vulnerabilities attackers regularly exploit. We will outline various methods used to discover and exploit these secrets, including, abusing git repos, exploiting misconfigurations, decompiling containers & reverse mobile applications to expose the secrets within.

AI Package Hallucination – Spreading Malicious Packages Using Generative AI Bar Lanyado

Revolutionary research exposes new attack technique using ChatGPT! Discover how attackers could exploit its hallucination to spread malicious packages, posing a grave threat to developers and production systems.

Closing Keynote Mikko Hypponen

Malware and machine learning: a match made in hell

Defending against cyber attacks is a never-ending race. Next, we're likely to see fully automated malware campaigns, using machine learning or generative AI. We defenders have been able to automate much of our work, enabling excellent detection, analysis and reaction times. Next up, attackers will do the same. Once the attackers migrate to automated operations, it will be a game of a robot against a robot. And then we will see that the only thing that can stop a bad AI is a good AI.