Table of Contents

  1. Privacy
    1. What's left for private messaging?
    2. No Body's Business But Mine, a dive into Menstruation Apps
    3. Listening Back Browser Add-On Tranlates Cookies Into Sound
  2. Vulnerabilities
    1. Plundervolt
    2. Breaking PDF security
    3. Practical Cache Attacks from the Network and Bad Cat Puns
    4. ZombieLoad Attack
    5. A systematic evaluation of OpenBSD's mitigations
    6. A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs
    7. TrustZone-M(eh): Breaking ARMv8-M's security
    8. All wireless communication stacks are equally broken
    9. On the insecure nature of turbine control systems in power generation
  3. Exploit development
    1. No source, no problem! High speed binary fuzzing
    2. Hacking an NFC toy with the ChameleonMini
    3. Breaking Microsoft Edge Extensions Security Policies
    4. Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale
    5. SELECT codeexecution FROM * USING SQLite;
    6. The Great Escape of ESXi
  4. Apple
    1. Messenger Hacking: Remotely Compromising an iPhone through iMessage
    2. KTRW: The journey to build a debuggable iPhone
    3. The One Weird Trick SecureROM Hates
  5. Facebook
    1. Inside the Fake Like Factories
    2. Art against Facebook
  6. Politics
    1. What the World can learn from Hongkong
    2. The KGB Hack: 30 Years Later
    3. Suing Finfisher. Breaches of law when exporting surveillance software
    4. What operating system does the Bundestag have and how can you hack it?
    5. The network policy annual review
    6. Police databases and minorities: State stigma and discrimination against Sinti and Roma
    7. Technical aspects of the surveillance in and around the Ecuadorian embassy in London
    8. The Case Against WikiLeaks: a direct threat to our community
  7. Miscelanneous
    1. SIM card technology from A-Z
    2. Harry Potter and the Not-So-Smart Proxy War
    3. Encrypted DNS? D'oh! - The Good, Bad and Ugly of DNS-over-HTTPS (DoH)
    4. (Post-Quantum) Isogeny Cryptography
    5. Intel Management Engine deep dive
    6. Wifibroadcast
    7. Look at ME! - Intel ME Investigation
    8. Security Nightmares 0x14
    9. Email authentication for penetration testers
    10. Cryptography demystified
    11. Hacking (with) a TPM
    12. Uncover, Understand, Own - Regaining Control Over Your AMD CPU
    13. Build you own Quantum Computer @ Home - 99% of discount - Hacker Style !
    14. The Case for Scale in Cyber Security

Privacy

What's left for private messaging?

It is easier to chat online securely today than it ever has been. Widespread adoption of signal, wire, and the private mode of WhatsApp have led a broader recognition of the importance of end-to-end encryption. There's still plenty of work to be done in finding new designs that balance privacy and usability in online communication. This introduction to secure messaging will lay out the different risks that are present in communications, and talk about the projects and techniques under development to do better.

No Body's Business But Mine, a dive into Menstruation Apps

In September 2019, Privacy International released exclusive research on the data-sharing practices of menstruation apps. Using traffic analysis, researchers have shed lights on the shady practices of companies that shared your most intimate data with Facebook and other third parties. In this talk they will go over the findings of this research, sharing the tools they have used and explaining why this is not just a privacy problem, but also a cybersecurity one. This talk will also be a call to action to app developers whose tools have concrete impact on the lives of their users.

Listening Back Browser Add-On Tranlates Cookies Into Sound

‘Listening Back’ is an add-on for the Chrome and Firefox browsers that sonifies internet cookies in real time as one browses online. By translating internet cookies into sound, the ‘Listening Back’ browser add-on provides an audible presence for hidden infrastructures that collect personal and identifying data by storing a file on one’s computer. Addressing the proliferation of ubiquitous online surveillance and the methods by which our information flows are intercepted by mechanisms of automated data collection, ‘Listening Back’ functions to expose real-time digital surveillance and consequently the ways in which our everyday relationships to being surveilled have become normalised. This lecture performance will examine Internet cookies as a significant case study for online surveillance with their invention in 1994 being historically situated at the origins of automated data collection, and the commercialisation of the World Wide Web. I will integrate online browsing to demonstrate the ‘Listening Back’ add-on and explore it’s potential to reveal algorithmic data capture processes that underlie our Web experience.

Vulnerabilities

Plundervolt

Many processors (including the widespread Intel Core series) expose privileged software interfaces to dynamically regulate processor frequency and operating voltage. Researchers show that these privileged interfaces can be reliably exploited to undermine the system's security. In multiple case studies, they show how the induced faults in enclave computations can be leveraged in real-world attacks to recover keys from cryptographic algorithms (including the AES-NI instruction set extension) or to induce memory safety vulnerabilities into bug-free enclave code.

Breaking PDF security

PDF is the most widely used standard for office documents. Supported by many desktop applications, email gateways and web services solutions, are used in all sectors, including government, business and private fields. For protecting sensitive information, PDFs can be encrypted and digitally signed. Assumed to be secure for 15 years, this talk reveals how to break PDF Encryption and how to break PDF Signatures. Researchers elaborated novel attacks leading to critical vulnerabilities in all PDF viewers, most notably in Adobe, Foxit, and Okular. As a result, an attacker can retrieve the plaintext of encrypted PDFs without knowing the password and manipulate the content of digitally signed PDFs arbitrarily while a victim is unable to detect this.

Practical Cache Attacks from the Network and Bad Cat Puns

This research shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With the attack called NetCAT, researchers show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, researchers show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

ZombieLoad Attack

The ZombieLoad attack exploits a vulnerability of most Intel CPUs, which allows leaking data currently processed by other programs. ZombieLoad is extremely powerful, as it leaks data from user-processes, the kernel, secure enclaves, and even across virtual machines. Moreover, ZombieLoad also works on CPUs where Meltdown is fixed in software or hardware. The Meltdown attack published in 2018 was a hardware vulnerability which showed that the security guarantees of modern CPUs do not always hold. Meltdown allowed attackers to leak arbitrary memory by exploiting the lazy fault handling of Intel CPUs which continue transient execution with data received from faulting loads. With software mitigations, such as stronger kernel isolation, as well as new CPUs with this vulnerability fixed, Meltdown seemed to be solved.

A systematic evaluation of OpenBSD's mitigations

OpenBSD markets itself as a secure operating system, but doesn't provide much evidences to back this claim. The goal of this talk is to evaluate how effective OpenBSD's security mitigation are, in a systematic, rational and comprehensive way. OpenBSD's website advertises a secure and modern operating system, with cool and modern mitigations. But no rational analysis is provided: are those mitigations effective? what are their impacts on performances, inspectability and complexity? against what are they supposed to defend? how easy are they to bypass? where they invented by OpenBSD or by others? is OpenBSD's reputation warranted?

A Deep Dive Into Unconstrained Code Execution on Siemens S7 PLCs

Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website. In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs. The talk will be accompanied by the demo of our findings.

TrustZone-M(eh): Breaking ARMv8-M's security

Most modern embedded devices have something to protect: Whether it's cryptographic keys for your bitcoins, the password to your WiFi, or the integrity of the engine-control unit code for your car. To protect these devices, vendors often utilise the latest processors with the newest security features: From read-out protections, crypto storage, secure-boot up to TrustZone-M on the latest ARM processors. In this talk, researchers break these features: they show how it is possible to bypass the security features of modern IoT/embedded processors using fault-injection attacks, including breaking TrustZone-M on the new ARMv8-M processors.

All wireless communication stacks are equally broken

Wireless connectivity is an integral part of almost any modern device. These technologies include LTE, Wi-Fi, Bluetooth, and NFC. Attackers in wireless range can send arbitrary signals, which are then processed by the chips and operating systems of these devices. Wireless specifications and standards for those technologies are thousands of pages long, and thus pose a large attack surface. Wireless exploitation is enabled by the technologies any smartphone user uses everyday. Without wireless connectivity our devices are bricked. While we can be more careful to which devices and networks we establish connections to protect ourselves, we cannot disable all wireless chips all the time. Thus, security issues in wireless implementations affect all of us.

On the insecure nature of turbine control systems in power generation

The research studies a very widespread industrial site throughout the world – power generation plants. Specifically, the heart of power generation – turbines and its DCS – control system managing all operations for powering our TVs and railways, gaming consoles and manufacturing, kettles and surveillance systems. We will share our notes on how those systems are functioning, where they are located network-wise and what security challenges are facing owners of power generation. A series of vulnerabilities will be disclosed along with prioritisation of DCS elements (hosts) and attack vectors. Discussed vulnerabilities are addressed by vendor of one of the most widespread DCS on our planet. During the talk we will focus on methodology how to safely assess your DCS installation, which security issues you should try to address in the first place and how to perform do-it-yourself remediation. Most of the remediation steps are confirmed by vendor which is crucial for industrial owners.

Exploit development

No source, no problem! High speed binary fuzzing

Modern grey-box fuzzers are the most effective way of finding bugs in complex code bases, and instrumentation is fundamental to their effectiveness. Existing instrumentation techniques either require source code (e.g., afl-gcc, ASan) or have a high runtime performance cost (roughly 10x slowdown for e.g., afl-qemu). This talk introduces Retrowrite, a binary rewriting framework that enables direct static instrumentation for both user-mode binaries and Linux kernel modules. Unlike dynamic translation and trampolining, rewriting code with Retrowrite does not introduce a performance penalty. We show the effectiveness of Retrowrite for fuzzing by implementing binary-only coverage tracking and ASan instrumentation passes. Our binary instrumentation achieves performance similar to compiler-based instrumentation.

Hacking an NFC toy with the ChameleonMini

The Toniebox plays songs or reads stories to your kids when they put a little figurine on top of it. This talk shows how to create a backup of it and use the ChameleonMini in place of it in case your kid ate it.

Breaking Microsoft Edge Extensions Security Policies

Browsers are the ones who handle our sensitive information. We entirely rely on them to protect our privacy, that’s something blindly trusting on a piece of software to protect us. Almost every one of us uses browser extensions on daily life, for example, ad-block plus, Grammarly, LastPass, etc. But what is the reality when we talk about security of browser extensions. Every browser extensions installed with specific permissions, the most critical one is host access permission which defines on which particular domains your browser extension can read/write data.

Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables.

SELECT codeexecution FROM * USING SQLite;

SQLite is one of the most deployed software in the world. However, from a security perspective, it has only been examined through the narrow lens of WebSQL and browser exploitation. Researchers believe that this is just the tip of the iceberg. In this long term research, they experimented with the exploitation of memory corruption issues within SQLite without relying on any environment other than the SQL language. Using innovative techniques of Query Hijacking and Query Oriented Programming, they proved it is possible to reliably exploit memory corruptions issues in the SQLite engine. They demonstrate these techniques a couple of real-world scenarios: pwning a password stealer backend server, and achieving iOS persistency with higher privileges.

The Great Escape of ESXi

VMware ESXi is an enterprise-class, bare-metal hypervisor developed by VMware for deploying and serving virtual computers. As the hypervisor of VMware vSphere, which is the world's most prevailing, state-of-the-art private-cloud software, ESXi plays a core role in the enterprise's cloud infrastructure. Bugs in ESXi could violate the security boundary between guest and host, resulting in virtual machine escape. While a few previous attempts to escape virtual machines have targeted on VMware workstation, there has been no public VMware ESXi escape until a successful demonstration at GeekPwn 2018. This is mainly due to the sandbox mechanism that ESXi has adopted, using its customized filesystem and kernel. In this talk, researchers will share their study on those security enhancements in ESXi, and describe how they discovered and chained multiple bugs to break out of the sandboxed guest machine.

Apple

Messenger Hacking: Remotely Compromising an iPhone through iMessage

So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone this year. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. The insights gained from the exploitation process will hopefully help defend against such attacks in the future.

KTRW: The journey to build a debuggable iPhone

Development-fused iPhones with hardware debugging features like JTAG are out of reach for many security researchers. This talk takes you along the journey to create a similar capability using off-the-shelf iPhones. We'll look at a way to break KTRR, a custom hardware mitigation Apple developed to prevent kernel patches, and use this capability to load a kernel extension that enables full-featured, single-step kernel debugging with LLDB on production iPhones. This talk walks through the discovery of hardware debug registers on the iPhone X that enable low-level debugging of a CPU core at any time during its operation. By single-stepping execution of the reset vector, we can modify register state at key points to disable KTRR and remap the kernel as writable. I'll then describe how I used this capability to develop an iOS kext loader and a kernel extension called KTRW that can be used to debug the kernel with LLDB over USB.

The One Weird Trick SecureROM Hates

Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones' SecureROM. This is a critical component in Apple's Secure Boot model and allows security researchers and jailbreakers alike to take full control over the application processor's execution. This talk will detail how researchers have built an iOS jailbreak from the ground up - quite literally - by using an use-after-free in Apple's SecureROM. This is key code which is designed to bring up the application processor during boot but also exposes a firmware update interface over USB called DFU.

Facebook

Inside the Fake Like Factories

This talk investigates the business of fake likes and fake accounts: In a world, where the number of followers, likes, shares and views are worth money, the temptation and the will to cheat is high. With some luck, programming knowledge and persistence the researchers obtained thousands of fanpages, You Tube and Instagram account, where likes have been bought from a Likes seller. They were also able to meet people working behind the scenes and we will prove, that Facebook is a big bubble, with a very high percentage of dead or at least zombie accounts. The talk presents the methodology, findings and outcomes from a team of scientists and investigative journalists, who delved into the parallel universe of Fake Like Factories.

Art against Facebook

There is graffiti in the ruins of the feed and the event-info-capital is emigrating. Currently Facebook has a tight grip on the cultural scene with its events-calendar and with Instagram as a spectacular image feed. But an opposition is rising. Graffiti and net-art are merging with hacking. Activists are using facebook graffiti, through circulating UTF-8 textbombs that cross the layout of the feed. The Berlin network Reclaim Club Culture meanwhile is calling for a Facebook Exodus. They want to motivate the club and cultural scene to support free alternatives, by moving their biggest information capital, which are the event announcements.

Politics

What the World can learn from Hongkong

The people of Hong Kong have been using unique tactics, novel uses of technology, and a constantly adapting toolset in their fight to maintain their distinctiveness from China since early June. Numerous anonymous interviews with protesters from front liners to middle class supporters and left wing activists reveal a movement that has been unfairly simplified in international reporting. The groundbreaking reality is less visible because it must be - obfuscation and anonymity are key security measures in the face of jail sentences up to ten years.

The KGB Hack: 30 Years Later

This spring marked the 30th anniversary of the public uncovering of the so-called KGB Hack, bringing with it a number of new articles remembering the event and forging bridges to the present. The 36C3 seems an excellent opportunity to take a look back at the instance of hacking which, even more so than previous events like the BTX and NASA Hacks, brought the CCC into the focus of the (West-)German public – and, additionally, the Federal Office for the Protection of the Constitution (Verfassungsschutz) and the Federal Intelligence Service (Bundesnachrichtendienst). This talk aims to focus on the uncovering of the KGB Hack, which began in 1986 when Clifford Stoll, a systems administrator at the University of California in Berkeley, noticed an intruder in his laboratory’s computer system – and, unlike other admins of the time, decided to do something about it. It took three more years of relentless investigation on Stoll’s part and laborious convincing of the authorities of the United States and the Federal Republic of Germany to trace back the intruder to a group of young men loosely connected to the CCC who worked with the KGB, selling information gained from breaking into US military computers to the Soviet Union.

Suing Finfisher. Breaches of law when exporting surveillance software

Together with Reporter Without Borders (ROG), the European Center for Constitutional and Human Rights (ECCHR) and netzpolitik.org, the GFF has filed criminal complaints against the managing directors of FinFisher GmbH, FinFisher Labs GmbH and Elaman GmbH. There are urgent indications that the Munich company conglomerate sold the spy software FinSpy to the Turkish government without the approval of the German government and thus contributed to the surveillance of opposition figures and journalists in Turkey.

What operating system does the Bundestag have and how can you hack it?

Of course, if the state were an operating system, we would like it to be managed according to the principles of free software. The processes should run as transparently as possible so that everyone can check if something goes wrong somewhere. Of course, the design of the processes should not happen in a black box and the code should invite you to change and participate. Unfortunately, the processes in the Bundestag are not even transparent, let alone particularly participatory. The interface is so confusing that even people with admin rights (government) sometimes have difficulty keeping an overview. The processes are more analogous than one would expect anyway, with absurd, historically grown processes and unimaginable mountains of paper. There is little transparency and opportunities for participation are rare.

The network policy annual review

IT Security Act 2.0, state trojans for the protection of the constitution, upload filter and ancillary copyright, platform regulation and terrorist propaganda regulation, as well as the search for artificial intelligence in blockchain - 2019 was an eventful year in network policy. What were the highlights from a digital fundamental rights perspective and where were there cuts? What can we expect in the coming year and which debates and legal processes should we focus on as digital civil society? Ursula von der Leyen is now EU Commission President and has already announced in her application various network law processes that are not only noteworthy due to their track records. What can we expect in the debate about a reform of liability privileges and what are the options for platform regulation without breaking the open network?

Police databases and minorities: State stigma and discrimination against Sinti and Roma

For Sinti*zze and Roma*nja, hostility is part of everyday life. They are also under general suspicion from investigative authorities: there is fear that the police in various federal states will illegally collect and publish data on ethnic origin. Why is it so dangerous to record ethnic origin in police databases? And what are the consequences of mentioning them in reporting? When can the police collect data on ethnic origin? And when and with what methods may she do it despite the ban?

Technical aspects of the surveillance in and around the Ecuadorian embassy in London

The talk explains and illustrates the procedural and technical details of the surveillance in and around the Ecuadorian embassy in London during the time Julian Assange stayed in there from June 2012 until April 2019. In the aftermath of Assange's expel from the ecuadorian embassy in London and his arrest based on a US extradition warrant evidence appeared that the "Security" measures of the embassy had at some point switched from protecting Assange and the embassy to an extremely detailled surveillance operation both against Assange and his visitors. The Spanish company "Undercover Global" that has been in charge of the embassy between 2015 and April 2018 and its owner and CEO is under investigation for spying on behalf of the CIA. Material from the second company that has taken over the embassy "Security" in April 2018 has found its way into an attempted extortion and is also subject to a legal investigation. The talk will contain material both documenting the surveillance measures installed as well as audio and video material obtained by the surveillance gear. It will also briefly touch on surveillance measures experienced elsewhere by friends, lawyers, media partners and associates of Assange and Wikileaks in the context of the ongoing man hunt.

The Case Against WikiLeaks: a direct threat to our community

The unprecedented charges against Julian Assange and WikiLeaks constitute the most significant threat to the First Amendment in the 21st century and a clear and present danger to investigative journalism worldwide. But they also pose significant dangers to the technical community. This panel will explain the legal and political issues we all need to understand in order to respond to this historic challenge. The talk will dissect the legal and political aspects of the US case against Wikileaks from an international perspective. It will describe the threats this prosecution poses to different groups and the key issues the case will raise.

Miscelanneous

SIM card technology from A-Z

Billions of subscribers use SIM cards in their phones. Yet, outside a relatively small circle, information about SIM card technology is not widely known. This talk aims to be an in-depth technical overview. Today, billions of subscribers use SIM cards in their phones. Yet, outside a relatively small circle, information about SIM card technology is not widely known. If at all, people know that once upon a time, they were storing phone books on SIM cards.

Harry Potter and the Not-So-Smart Proxy War

This talk will take a look at the 'Vault 7' Protego documents, which have received very little attention so far, and challenge the assertion that Protego was a 'suspected assassination module for a GPS guided missile system … used on-board Pratt & Whitney aircraft' based on system block diagrams, build instructions and a few interesting news items. In addition, we will discuss hypothetical weaknesses in systems like it.

Encrypted DNS? D'oh! - The Good, Bad and Ugly of DNS-over-HTTPS (DoH)

Old school DNS is unencrypted and thus prone to MITM-Attacks or DNS-Hijacking. DNS-over-HTTPS (DoH) is trying to solve this finally by encrypting DNS-requests between the client and the resolver. There have been previous (failed) attempts of encrypting DNS, but DoH seems to be the most promising so far, because browser makers such as Mozilla and Google are pushing the adoption and plan to roll this technology out to all Firefox and Chrome users. Microsoft ist planning to support DoH in natively in Windows 10.

(Post-Quantum) Isogeny Cryptography

There are countless post-quantum buzzwords to list: lattices, codes, multivariate polynomial systems, supersingular elliptic curve isogenies. It is the year 2019 and apparently quantum supremacy is finally upon us. Surely, classical cryptography is broken? How are we going to protect our personal communication from eagerly snooping governments now? And more importantly, who will make sure my online banking stays secure?

Intel Management Engine deep dive

Reverse engineering a system on a chip from sparse documentation and binaries, developing an emulator from it and gathering the knowledge needed to develop a replacement for one of the more controversial binary blobs in the modern PC.

Wifibroadcast

This talk is about modifying cheap wifi dongles to realize true unidirectional broadcast transmissions that can transport digital data like HD drone video with guaranteed latency over a range of tens of kilometers. The talk will show the necessary changes to the firmware and kernel of the wifi dongle, the forward error correction and software diversity (fuse several receivers in software) that is added to improve reliability and the most prominent use case: Flying a remote controlled drone at a distance of tens of kilometers. Wifi as it is implemented in the 802.11 standard tries (as best as it can) to guarantee to a user the delivery of data and the correctness of the data. To increase the chance of delivery, the standard includes techniques like automatic retransmission, automatic rate reduction, CSMA/CA. To guarantee correctness, the packets are using CRC sums. These measures are very useful in a typical 1-to-1 communication scenario. However, they do not adapt very well to a 1-to-n scheme (broadcast). Even in case of a 1-to-1 scenario the techniques mentioned above make it impossible to guarantee a latency and throughput of a transmission.

Look at ME! - Intel ME Investigation

With Intel's Firmware Support Package (FSP) and the recent release of a redistributable firmware binary for the Management Engine, it has become possible to share full firmware images for modern x86 platforms and potentially audit the binaries. Yet, reverse engineering, decompilation and disassembly are still not permitted. However, thanks to previous research, we can have a closer look at the binary data and come to a few conclusions. This talk briefly summarizes the fundamentals of developing custom and open source firmware, followed by a quick guide through the process of analyzing the binaries without actually violating the terms to understand a few bits, and finally poses a statement on the political issues that researchers, repair technicians and software developers are facing.

Security Nightmares 0x14

What has happened in the area of IT security in the past year? What will be the next buzzwords and which new trends are already foreseeable today? As always, we dare the IT security nightmare outlook for 2020 and beyond. After all, what we really want to know is: Who argued with his AI last year? And how is the job profile of the blockchain exorcist developing? Will there be IT security weather forecasts on TV soon?

Email authentication for penetration testers

Forget look-alike domains, typosquatting and homograph attacks, this talk will present ways of forging perfect email counterfeits that (as far as recipients can tell) appear to be coming from well-known domain and successfully pass all checks on their way. Prime focus of this talk will be modern anti-spoofing strategies and the ways around them.

Cryptography demystified

This talk will explain the basic building blocks of cryptography in a manner that will (hopefully) be understandable by everyone. The talk will not require any understanding of maths or computer science. In particular, the talk will explain encryption, what it is and what it does, what it is not and what it doesn't do, and what other tools cryptography can offer. The talk will not require any understanding of maths or computer science.

Hacking (with) a TPM

Trusted Platform Modules (TPMs) are nowadays included in all consumer-grade devices. Whilst "the Trusted Platform Modules available for PCs are not dangerous, and there is no reason not to include one in a computer or support it in system software" (Richard Stallman, GNU) they have yet to gain wide-ranged adoption, especially for the daily needs of your average nerd. This talk will introduce OpenSource software and use cases that are already supported and how your everyday nerd can benefit from those by security your personal credentials, securing your system credentials, encrypting your storage and detecting BIOS manipulations.

Uncover, Understand, Own - Regaining Control Over Your AMD CPU

The AMD Platform Security Processor (PSP) is a dedicated ARM CPU inside your AMD processor and runs undocumented, proprietary firmware provided by AMD. It is a processor inside your processor that you don't control. It is essential for system startup. In fact, in runs before the main processor is even started and is responsible for bootstrapping all other components. This talk presents the efforts investigating the PSP internals and functionality and how you can better understand it.

Build you own Quantum Computer @ Home - 99% of discount - Hacker Style !

Quantum technologies are often only over-hyped showed as threat for cybersecurity … But they also offer some opportunities to enhance the cybersecurity landscape. As an example, you may know that a quantum computer will be able to break RSA keys but Quantum communication technologies can also provide a new way to exchange securely a cipher key. More, with Quantum networking technologies, communication eavesdropping are, by design, detectable and thus this could lead to some good opportunities to use them to enhance cybersecurity. Some even begins to build a Quantum internet! We may also solve main security issues face by cloud computation (privacy, confidentiality etc) via the use of "Blind quantum computation" in the cloud.

The Case for Scale in Cyber Security

The impact of scale in our field has been enormous and it has transformed the tools, the jobs and the face of the Infosec community. In this talk we discuss some of the ways in which defense has benefitted from scale, how the industry might be transitioning to a new phase of its growth and how the community will have to evolve to stay relevant.