Security IT in practice

Security PWNing Conference 2018

Time left to conference:
20
days
20
hours
22
minutes
21
seconds

Take care of security of information systems and data in your company!

Apply to participate in the Security PWNing Conference 2018!

The conference participants will get to know current IT security threats and the latest methods of protecting business assets. They will learn, among others, what current threats entails connecting different types of devices to their computers and how to counteract them.

Top experts will present the latest research results and advise on how to improve the security of operating systems and applications. There will also be news on technical IT security and carrying out safety tests.

The conference participants will receive not only a huge dose of knowledge, but also the opportunity to develop their business contacts.

 – – – – – – – – – – – – – – – – – – – – – – – – -Gynvael-zdj_C4_99cie

On behalf of Gynvael Coldwind (Chairman of the Scientific Committee) and the Institute of PWN (Publishing House in Poland). As The PWN Group we not only manage the publishing process, but also provide the educational training, including conferences and symposia. We would like to invite you to attend „Security PWNing Conference 2018″. The meeting will take place on 19-20 November 2018 in Warsaw (Warsaw Plaza Hotel), Poland. The conference program is aimed at professionals who practice in the field of computer security. This is the third edition of the Security PWNing Conference.

988x302_2

Scientific Program

TRANSLATION

Simultaneous translation into English will be provided!

tlumaczenie

November 19
09:00-09:50
Registration
09:50-10:00
Opening
Gynvael Coldwind
10:00-10:45
Hardware RE: how to hack a hotel door lock's firmware and... write a better one yourself
MICHAŁ LESZCZYŃSKI, MAREK KLIMOWICZ, JAROSŁAW JEDYNAK

If people write custom firmware for routers, why not do it for a hotel door lock? We will present reverse engineering techniques suited for undocummented hardware and possibilities for independent adjustment of software. Moreover, we will also show some exploits for these kinds of locks.

10:45-10:55
Coffee break
10:55-11:25
PentHertz - the use of radio attacks in red team and penetration tests
Sebastian Dudek

Red team tests consist of multiple cases scenarios where penetration testers are given free rein to produce realistic attacks against a targeted company. To intrude a company, attackers may try to find flaws in exposed services or send malicious emails. But when this company has a low level exposure and because the development of undetected malicious mails is time consuming, physical intrusions are, to the contrary, more difficult to prevent.

więcej>>
11:25-11:35
Coffee break
11:35-12:05
Hacking JWT (JSON Web Token) - real life cases
MICHAŁ SAJDAK
12:05-12:15
Coffee break
12:15-12:40
Funny Bugs in Big Companies
Millennium Bank
Tomasz Bukowski, Marcin Grzesiak

A short presentation of selected vulnerabilities that we have come across while working in our institution.

12:40-13:40
Lunch
13:40-14:10
Getting the most from Cyber Security Assessments
Paweł Krzywicki

Red teaming, pentesting, white box testing – many definitions and even more ways to conduct these tests, but how they help in the ultimate decision if the product requires additional investments? This paper will deep dive into a real attack executed by a red team against a multi-layer product.

więcej>>
14:10-14:20
Coffee break
14:20-14:45
End of Security vs. Development quarrels?
INTEL
Beata Szturemska, Paweł Krzywicki

A short story about the way security researchers and development teams cooperate to focus on doing the right and meaningful things, give developers a chance to grow and have time to hack their own code (when we get tired of playing ping pong).

14:45-14:55
Coffee break
14:55-15:25
Low level debugging with Pwndbg
Dominik Czarnota

This talk will present a plugin for GDB called Pwndbg, useful for debugging of assembly code, reverse engineering and exploit development.

15:25-15:35
Coffee break
15:35-15:45
Hackingdept: New dimention of education
STM Solutions
Grzegorz Wróbel

The online training courses available quickly become obsolete? Are you interested in current aspects of attacks, including hardwar attacks? Do you need a solution for recruitment processes, education and promotion of your team in one? Don’t necessarily want to share your team’s knowledge with external training providers? Would you like to learn from members of the best CTF teams in Poland and  in the world ? Come and listen about Hackingdept.

15:45-15:50
Technical break
15:50-16:20
How Polish people lose their money in Internet? Overview of the most popular Polish scammers
Piotr Konieczny

Every day in internet Polish people are victims of the sophisticated criminals or… their naivety and stupidity. The effect of this two cases are the same – losing money. The lecture will try to illustrate how the „cybercriminals” have evolved over the last few months and indicate who they are and how much they earn.

16:20-16:30
Coffee break
16:30-16:40
USB, SATA, SCSI and hardware disk encryption
Avidata
Kacper Kulczycki

Briefly talk about complications induced by hardware encryption of disks with the integrated USB connector and methods applied in data recovery and digital investigations.

16:40-16:45
Technical Break
16:45-17:15
Social engineering wizards - the most interesting criminals' tricks
Adam Haertle

During the presentation I will provide an overview of the most interesting cases of the use of social engineering in attacks on Polish Internet users in recent years and some victims’ reactions.

17:15-17:25
Coffee break
17:25-17:55
From Shellsort to " Shellsort" like a MacGyver style
Reenz0h

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any traces behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain? 

więcej>>
17:55-18:00
Closing remarks
Gynvael Coldwind
After Party
20:00-23:00
After party

After an intense conference day, we invite you to the after party in Warsaw Plaza Hotel (in the foyer of the conference room). During this informal meeting, you will be able to not only relax, but also talk with other participants and speakers and make new contacts.

During the meeting, we will provide dinner in the form of a buffet and drinks. We will also give you vouchers for free beer and wine which you can pick up during the after party

START: 19 th November 19, 8 pm

Have fun!

November 20
09:50-10:00
Opening
Gynvael Coldwind
10:00-10:30
Programmer as a key to the company - GIT servers exploitation
Kacper Szurek

Almost each IT company has a GIT server. We treat it like something obvious, but are we aware that it can be a tidbit for the attackers? The security of a few GIT servers was put under examination and this presentation shows the results of the research that ended with discovery of vulnerabilities allowing for remote code execution.

10:30-10:45
Coffee Break
10:45-11:30
Dangerous adventures during binary analysis - Tales about bugs in analytical tools and more
KAMIL FRANKOWICZ

The talk will cover bugs and security vulnerabilities in all sorts of binary analysis tools, support tools and libraries, useful in dealing with malware – at every stage of the analysis: network, binary and detection stage.

Many vulnerabilities mostly are basic coding errors, which, probably only with the help of cosmic rays, have been placed in the source code. I have not suspected their creators of such things so far ;-)

11:30-11:45
Coffee break
11:45-12:15
Good old mmap – mmap exploitation in Linux kernel drivers
Mateusz Fruba

Memory mapping issues in Linux kernel drivers were discovered years ago. Despite the discovery of this category of issues, a number of vulnerable device drivers were developed for various platforms such as mobile devices, TV, routers, servers and many more types of embedded devices. It is believed that the primary reason for this is due to the lack of public guidelines about secure kernel development practices. Each developer has to learn it by himself. Often, they will only learn about the pitfalls, when a public exploit is created for their driver and the security team is expected to resolve it. This presentation aims to show the process of creating a fully weaponized exploit for faulty mmap implementation in Linux kernel drivers.

12:15-12:30
Coffee Break
12:30-13:00
Teledildonics - technical, ethical and legal aspects of security of connected sex toys
Maciej Chmielarz

In a time when connecting consumer electronics to the web is cheap and easy, makers of all kinds of devices urge to add this functionality to their products. If only something has a battery, typically it also has wireless interface, mobile app, service in the cloud and broad attack surface associated with all these. Oftentimes it does not bring customers actual value, despite the cost of increased risk.

więcej>>
13:00-14:00
Lunch
14:00-15:00
Lightning talks
15:00-15:15
Coffee break
15:15-15:45
How do the car-sharing companies implement GDPR in practice
Tomasz Zieliński

GDPR states that a „data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. However, does an Excel file with embedded ActiveX controls meet such requirements? Also, what happens when the e-mail address of a data protection officer has a typo? I will present the outcome of my experiment, in which I tried to use GDPR while corresponding with ten Polish car and scooter-sharing companies.

15:45-16:00
Coffee break
16:00-16:30
C/C++ vs Security!
Gynvael Coldwind
16:30-16:45
Coffee breaks
16:45-17:45
CTF security competitions results
17:45-18:00
Closing remarks
Gynvael Coldwind

Video 2017

Speakers

Dominik Czarnota
Security Engineer at Trail of Bits. Contributor to Pwndbg and Manticore open source projects. Plays CTF contests focusing on re/pwn/web cate... more
Sebastian Dudek
Information security expert wroking for Synacktiv company. For over 7 years he has been particularly passionate about problems in radiocommu... more
Adam Haertle
ZaufanaTrzeciaStrona.pl. Creator and main editor one of the most popular security websites. Security expert with passion, conference spea... more
Jarosław Jedynak
Fascinated by programming since grade school. Changed his career path to become a malware analyst in CERT Polska, where he used to work on r... more
Marek Klimowicz
Automation and Robotics Engineer from Bialystok University of Technology. Self-taught programmer and electronical engineer. He creates robot... more
Piotr Konieczny
Chief Information Security Officer, Niebezpiecznik.pl
Michał Leszczyński
From April 2018 a member of the CERT Polska team, where he creates various tools and systems. Sometimes he happens to analyze some malware (... more
Michał Sajdak
The founder and creator of sekurak.pl website, an IT security consultant in Securitum, trainer. He has over ten years of experience in issue... more
Tomasz Bukowski
Physicist by education. He deals with difficult (security) IT problems at Bank Millennium. Proud member of DragonSector.
Maciej Chmielarz
Maciej Chmielarz has been working in the IT sector since 2008. His experience comes from leading Polish and global technology companies that... more
Kamil Frankowicz
The big fan of fuzzing and new methods of causing software failures. On a daily basis, he defends the security of the Polish Internet by wor... more
Marcin Grzesiak
IT engineer with passion for software development. Became software security engineer in Bank Millennium on early 2017. Every day deals with ... more
Mateusz Fruba
Security consultant working for MWR InfoSecurity. Privately, he is a security enthusiast with a passion for spoiling full platforms, from we... more
Kacper Kulczycki
Peer of 5150 IBM PC. Studied in Faculty of Physics University of Warsaw, crucial place for the coming into existence of the Polish Internet.... more
Paweł Krzywicki
Paweł Krzywicki works as a Security Researcher & a Red Teamer at Intel. During last 20 years he sometimes played a role of a Project Ma... more
Reenz0h
Geek by passion, engineer by profession since last millennium. For many years he's been working in global red team simulating threat actors ... more
Beata Szturemska
A developer in Platform Security Department at Intel. She is not devoted to any particular technology or programming language, which gives h... more
Kacper Szurek
Kacper is a Detection Engineer at ESET. He owns a YouTube channel (KacperSzurek) where he talks about pentester work and other related topic... more
Tomasz Zieliński
Developer, mobile team leader at PGS Software. During his several-year career he worked on maintaining financial software for the NBP, he pa... more
Grzegorz Wróbel
The founder of STM Solutions Sp. z o. o. Sp. k. Long-term specialist in the field of information protection . Since 2005 he has been involve... more

Program Council

Chairman of the Program Council

GYNVAEL COLDWIND

The programmer-enthusiast with passion to the IT security and low-level aspects of the IT, also the author of numerous articles, publications, podcasts and speeches devoted to these topics. In 2013 he was awarded in Las Vegas (together with Mateusz Jurczyk) Pwnie Award in the category „The most innovative scientific research” in the field of the IT security. The captain and co-founder of Dragon Sector, one of the best CTF teams in the world. Since 2010 he has been living in Zurich where he works for Google company as Senior Engineer/Information Security Engineer. The author of the books published by PWN: „Understanding Programming”, „Practical Reverse Engineering”.

Program Council

 Gynvael Coldwind – https://gynvael.coldwind.pl
Piotr Duczyński –  http://isaca.waw.pl
Mateusz Jurczyk – https://j00ru.vexillium.org
Mateusz Kocielski – http://www.akat1.plhttps://logicaltrust.net/
Borys Łącki – http://bothunters.pl

CTF SECURITY COMPETITIONS

Our conference will host the Dragon CTF organized by the Dragon Sector team.

The CTF will count towards the CTFtime.org general classification and will be held in the Jeopardy 4-players-per-team formula, with task categories including reverse engineering, low level exploitation, cryptography and web application security.

The total prize pool is 17 000 PLN.

In addition, an online CTF teaser will be run on the 29th-30th of September. The prizes for top teams in the online teaser include reimbursement of accommodation and travel expenses for the main competition. For details, please see https://ctftime.org/event/648.

We invite all conference participants and the top 10 teams from the teaser to participate in the Dragon CTF.

ORGANIZER

ds_tlo

SPONSORS

logo_corel_11

 

Samsung_Logo_Wordmark_RGB

Attractions

RELAXATION ZONE

We invite you to play together in virtual reality! VR Project has prepared many attractions for you!

In the VR zone you will be able to try one of the most technologically advanced VR sets – Oculus Rift with Touch controllers. The system allowes you to track the motion and full interaction with the virtual environment. Thanks to that, we guarantee the WOW effect and unforgettable impressions. It will be possible to explore the depths of the ocean, shoot drones somewhere in space, try rock climbing without belaying.

SRODEK_Strona_02 — kopia

The zone will be available on 19th November from 10 am to 6 pm

Sponsor of the relaxation zone

VR project LOGO


—–

INTERACTIVE EXHIBITION OF GAMES AND COMPUTERS

„Dawne Komputery i Gry” Fundation organized a zone for you, in which you will find computer equipment from a dozen or so dozens of years ago.

The exhibition is fully interactive – so you can not only watch the equipment, but also play computer games from years ago!

 SRODEK_Strona_02

And on what and what will you be able to play?

PONG, Atari 2600, Atari 65XE, Amiga 600, NES, SNES, Nintendo 64, Commodore 64, Nintendo GameCube, Sega Master System II, Sega Mega Drive II and many more.

 The exhibition will be available on 19th November, from 10 am to hours 11 pm and on 20th  November to 6 pm.

Place and date

NOVEMBER 19-20, Warsaw
Warsaw Plaza Hotel
ul. Łączyny 5
tel.:22 431 08 00​
e-mail: wph@warsawplazahotel.pl

Gold Sponsor:             —–

——

Silver Sponsor:      -

——

Sponsors:                    —-
—–

                                                                      

Sponsor of the relaxation zone: VR project LOGO

CALL FOR PARTNERS

We’d like to invite you to co-create the Security PWNing Conference 2018!

If you are interested in cooperation or delegating their employees to participate in the conference, please contact Natalia Popiel (natalia.popiel@pwn.pl).

We will be very glad if your company join to our team!

Registration form

Conditions for the participation

The pro forma invoice will be used for payment, which will be sent in PDF format to the email address you filled in the application.

When you don’t pay for the  pro forma invoice it doesn’t mean you give up your participation in the conference.

When you cancell your reservation later than 14 calendar days before the date of the event the organizer reserves the right to charge  full cost of participation in the  conference.

——————————————————————–

Participants includes:

  • admission to the lectures (2 days)
  • conference materials
  • coffee and lunch breaks (2 days)
  • AFTER PARTY (the first day)
  • unique atmosphere :)

CODE OF CONDUCT for conferences and training courses

Please complete the form below and accept the terms and conditions.

Date

NOVEMBER 19-20 2018, Warsaw

Options

CONFERENCE PARTICIPATION
CONFERENCE (ewentualnie CONFERENCE PARTICIPATION) + afterparty
CONFERENCE (EWENTUALNIE CONFERENCE PARTICIPATION) (afterparty not included)

Price

Participants

VAT invoices data

Company/Institution
Individual

Terms of VAT exemption

Yes - I declare that participation in the conference is financed by public
No - participation in the conference is not financed by public resources

Payment type

Transfer after receiving the invoice
Pay-U