If people write custom firmware for routers, why not do it for a hotel door lock? We will present reverse engineering techniques suited for undocummented hardware and possibilities for independent adjustment of software. Moreover, we will also show some exploits for these kinds of locks.

Red team tests consist of multiple cases scenarios where penetration testers are given free rein to produce realistic attacks against a targeted company. To intrude a company, attackers may try to find flaws in exposed services or send malicious emails. But when this company has a low level exposure and because the development of undetected malicious mails is time consuming, physical intrusions are, to the contrary, more difficult to prevent.

A short presentation of selected vulnerabilities that we have come across while working in our institution.

Red teaming, pentesting, white box testing – many definitions and even more ways to conduct these tests, but how they help in the ultimate decision if the product requires additional investments? This paper will deep dive into a real attack executed by a red team against a multi-layer product.

A short story about the way security researchers and development teams cooperate to focus on doing the right and meaningful things, give developers a chance to grow and have time to hack their own code (when we get tired of playing ping pong).

This talk will present a plugin for GDB called Pwndbg, useful for debugging of assembly code, reverse engineering and exploit development.

The online training courses available quickly become obsolete? Are you interested in current aspects of attacks, including hardwar attacks? Do you need a solution for recruitment processes, education and promotion of your team in one? Don’t necessarily want to share your team’s knowledge with external training providers? Would you like to learn from members of the best CTF teams in Poland and  in the world ? Come and listen about Hackingdept.

Every day in internet Polish people are victims of the sophisticated criminals or… their naivety and stupidity. The effect of this two cases are the same – losing money. The lecture will try to illustrate how the „cybercriminals” have evolved over the last few months and indicate who they are and how much they earn.

Briefly talk about complications induced by hardware encryption of disks with the integrated USB connector and methods applied in data recovery and digital investigations.

During the presentation I will provide an overview of the most interesting cases of the use of social engineering in attacks on Polish Internet users in recent years and some victims’ reactions.

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any traces behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain? 

Almost each IT company has a GIT server. We treat it like something obvious, but are we aware that it can be a tidbit for the attackers? The security of a few GIT servers was put under examination and this presentation shows the results of the research that ended with discovery of vulnerabilities allowing for remote code execution.

The talk will cover bugs and security vulnerabilities in all sorts of binary analysis tools, support tools and libraries, useful in dealing with malware – at every stage of the analysis: network, binary and detection stage.

Many vulnerabilities mostly are basic coding errors, which, probably only with the help of cosmic rays, have been placed in the source code. I have not suspected their creators of such things so far

Memory mapping issues in Linux kernel drivers were discovered years ago. Despite the discovery of this category of issues, a number of vulnerable device drivers were developed for various platforms such as mobile devices, TV, routers, servers and many more types of embedded devices. It is believed that the primary reason for this is due to the lack of public guidelines about secure kernel development practices. Each developer has to learn it by himself. Often, they will only learn about the pitfalls, when a public exploit is created for their driver and the security team is expected to resolve it. This presentation aims to show the process of creating a fully weaponized exploit for faulty mmap implementation in Linux kernel drivers.

In a time when connecting consumer electronics to the web is cheap and easy, makers of all kinds of devices urge to add this functionality to their products. If only something has a battery, typically it also has wireless interface, mobile app, service in the cloud and broad attack surface associated with all these. Oftentimes it does not bring customers actual value, despite the cost of increased risk.

GDPR states that a „data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. However, does an Excel file with embedded ActiveX controls meet such requirements? Also, what happens when the e-mail address of a data protection officer has a typo? I will present the outcome of my experiment, in which I tried to use GDPR while corresponding with ten Polish car and scooter-sharing companies.