Take care of security of information systems and data in your company!
Apply to participate in the Security PWNing Conference 2018!
The conference participants will get to know current IT security threats and the latest methods of protecting business assets. They will learn, among others, what current threats entails connecting different types of devices to their computers and how to counteract them.
Top experts will present the latest research results and advise on how to improve the security of operating systems and applications. There will also be news on technical IT security and carrying out safety tests.
The conference participants will receive not only a huge dose of knowledge, but also the opportunity to develop their business contacts.
– – – – – – – – – – – – – – – – – – – – – – – – -
On behalf of Gynvael Coldwind (Chairman of the Scientific Committee) and the Institute of PWN (Publishing House in Poland). As The PWN Group we not only manage the publishing process, but also provide the educational training, including conferences and symposia. We would like to invite you to attend „Security PWNing Conference 2018″. The meeting will take place on 19-20 November 2018 in Warsaw (Warsaw Plaza Hotel), Poland. The conference program is aimed at professionals who practice in the field of computer security. This is the third edition of the Security PWNing Conference.
Scientific Program
Simultaneous translation into English will be provided!

If people write custom firmware for routers, why not do it for a hotel door lock? We will present reverse engineering techniques suited for undocummented hardware and possibilities for independent adjustment of software. Moreover, we will also show some exploits for these kinds of locks.

Red team tests consist of multiple cases scenarios where penetration testers are given free rein to produce realistic attacks against a targeted company. To intrude a company, attackers may try to find flaws in exposed services or send malicious emails. But when this company has a low level exposure and because the development of undetected malicious mails is time consuming, physical intrusions are, to the contrary, more difficult to prevent.
więcej>>

A short presentation of selected vulnerabilities that we have come across while working in our institution.

Red teaming, pentesting, white box testing – many definitions and even more ways to conduct these tests, but how they help in the ultimate decision if the product requires additional investments? This paper will deep dive into a real attack executed by a red team against a multi-layer product.
więcej>>
A short story about the way security researchers and development teams cooperate to focus on doing the right and meaningful things, give developers a chance to grow and have time to hack their own code (when we get tired of playing ping pong).

This talk will present a plugin for GDB called Pwndbg, useful for debugging of assembly code, reverse engineering and exploit development.

The online training courses available quickly become obsolete? Are you interested in current aspects of attacks, including hardwar attacks? Do you need a solution for recruitment processes, education and promotion of your team in one? Don’t necessarily want to share your team’s knowledge with external training providers? Would you like to learn from members of the best CTF teams in Poland and in the world ? Come and listen about Hackingdept.

Every day in internet Polish people are victims of the sophisticated criminals or… their naivety and stupidity. The effect of this two cases are the same – losing money. The lecture will try to illustrate how the „cybercriminals” have evolved over the last few months and indicate who they are and how much they earn.

Briefly talk about complications induced by hardware encryption of disks with the integrated USB connector and methods applied in data recovery and digital investigations.

During the presentation I will provide an overview of the most interesting cases of the use of social engineering in attacks on Polish Internet users in recent years and some victims’ reactions.

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).
Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any traces behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?
więcej>>After an intense conference day, we invite you to the after party in Warsaw Plaza Hotel (in the foyer of the conference room). During this informal meeting, you will be able to not only relax, but also talk with other participants and speakers and make new contacts.
During the meeting, we will provide dinner in the form of a buffet and drinks. We will also give you vouchers for free beer and wine which you can pick up during the after party
START: 19 th November 19, 8 pm
Have fun!


Almost each IT company has a GIT server. We treat it like something obvious, but are we aware that it can be a tidbit for the attackers? The security of a few GIT servers was put under examination and this presentation shows the results of the research that ended with discovery of vulnerabilities allowing for remote code execution.

The talk will cover bugs and security vulnerabilities in all sorts of binary analysis tools, support tools and libraries, useful in dealing with malware – at every stage of the analysis: network, binary and detection stage.
Many vulnerabilities mostly are basic coding errors, which, probably only with the help of cosmic rays, have been placed in the source code. I have not suspected their creators of such things so far

Memory mapping issues in Linux kernel drivers were discovered years ago. Despite the discovery of this category of issues, a number of vulnerable device drivers were developed for various platforms such as mobile devices, TV, routers, servers and many more types of embedded devices. It is believed that the primary reason for this is due to the lack of public guidelines about secure kernel development practices. Each developer has to learn it by himself. Often, they will only learn about the pitfalls, when a public exploit is created for their driver and the security team is expected to resolve it. This presentation aims to show the process of creating a fully weaponized exploit for faulty mmap implementation in Linux kernel drivers.

In a time when connecting consumer electronics to the web is cheap and easy, makers of all kinds of devices urge to add this functionality to their products. If only something has a battery, typically it also has wireless interface, mobile app, service in the cloud and broad attack surface associated with all these. Oftentimes it does not bring customers actual value, despite the cost of increased risk.
więcej>>
GDPR states that a „data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format”. However, does an Excel file with embedded ActiveX controls meet such requirements? Also, what happens when the e-mail address of a data protection officer has a typo? I will present the outcome of my experiment, in which I tried to use GDPR while corresponding with ten Polish car and scooter-sharing companies.


Relacje
SECURITY PWNing CONFERENCE 2018 – III edycji przeszła do historii
W dniach 19-20 listopada w Warszawie odbyła się trzecia edycja konferencji „SECURITY PWNing”, która zgromadziła rekordową ilość, ponad 400 osób, zainteresowanych tematyką bezpieczeństwa komputerowego w praktyce. Z naszej strony dołożyliśmy wszelkich starań, aby dobór tematów i prelegentów sprostały oczekiwaniom grona specjalistów oraz by konferencja ta weszła na stałe do kalendarza najważniejszych wydarzeń IT w Polsce.
Wzorem ubiegłorocznej edycji konferencję otworzył Przewodniczący Rady Programowej, Gynvael Coldwind, odpowiedzialny za merytoryczną stronę spotkania. Zaproszeni Prelegenci, którym towarzyszyli eksperci wyłonienie w ramach Call for Papers, podzielili się swoją wiedzą, praktyką i bogatym doświadczeniem. Uczestnicy mogli zapoznać się między innymi ze sposobami hakowania firmware zamków hotelowych, przeprowadzania ataków na sieci bezprzewodowe podczas Red Teamingu oraz otrzymali solidną dawkę informacji na temat tokenów JWT. Nie zabrakło też wiedzy na temat poszukiwania błędów w bankowości elektronicznej, kosztów Red Teamingu, oraz niebezpieczeństw czyhających na statystycznego użytkownika internetu. Ze względu na udział gości z zagranicy wszystkie wystąpienia były tłumaczone symultanicznie na język angielski.
Ponadto, podczas tegorocznej edycji „Security PWNing” uczestnicy mogli wziąć udział w zawodach liczonych do klasyfikacji generalnej CTFTime. Konkurs został zorganizowany przez zespół Dragon Sector - jedną z najlepszych drużyn CTF na świecie. Zwycięskie drużyny, które najsprawniej rozwiązały zadania z zakresu inżynierii wstecznej, eksploitacji niskopoziomowej, kryptografii oraz bezpieczeństwa aplikacji webowych otrzymały nagrody pieniężne. Jeszcze raz gratulujemy wszystkim, którzy wzięli udział w zaciętej rywalizacji.
Po solidnej dawce technicznych informacji uczestnicy konferencji mogli odpocząć, grając w kultowe gry na sprzęcie sprzed kilkunastu–kilkudziesięciu lat, przygotowanym przez Fundację Dawnych Komputerów i Gier. Goście korzystali także z jednego z najbardziej zaawansowanych technologicznie zestawów VR, który przenosił spragnionych dodatkowych wrażeń w obszary rozszerzonej rzeczywistości.
Rozmowy w kuluarach i wspólnie spędzony czas na after party były znakomitą okazją do networkingu, i dalszego zgłębiania interesujących zagadnień. Wierzmy, że były to dwa owocne dni w gronie ludzi, których łączy wspólna pasja do tematów związanych z bezpieczeństwem IT. Już teraz zapraszamy Was do udziału w Security PWNing 2019 – do zobaczenia za rok!
Materiały
-
Hardware RE hakujemy firmware zamka hotelowego i piszemy lepszy
-
PentHertz - the use of radio attacks in red team and penetration tests
-
Hackowanie JWT (JSON Web Token)
-
Getting the most from Cyber Security Assessments
-
Low levelowe debugowanie z Pwndbg
-
From Shellsort to Shellsort like a MacGyver style
-
Stary dobry mmap – eksploitacja mmap’a w sterownikach jądra Linux
-
RODO w praktyce - jak wypożyczalnie pojazdów na minuty realizują uprawnienia konsumentów
-
C/C++ vs Security!
Video 2017
Speakers
Program Council
Chairman of the Program Council
GYNVAEL COLDWIND
The programmer-enthusiast with passion to the IT security and low-level aspects of the IT, also the author of numerous articles, publications, podcasts and speeches devoted to these topics. In 2013 he was awarded in Las Vegas (together with Mateusz Jurczyk) Pwnie Award in the category „The most innovative scientific research” in the field of the IT security. The captain and co-founder of Dragon Sector, one of the best CTF teams in the world. Since 2010 he has been living in Zurich where he works for Google company as Senior Engineer/Information Security Engineer. The author of the books published by PWN: „Understanding Programming”, „Practical Reverse Engineering”.
Program Council
Gynvael Coldwind – https://gynvael.coldwind.pl
Piotr Duczyński – http://isaca.waw.pl
Mateusz Jurczyk – https://j00ru.vexillium.org
Mateusz Kocielski – http://www.akat1.pl, https://logicaltrust.net/
Borys Łącki – http://bothunters.pl
CTF SECURITY COMPETITIONS
Our conference will host the Dragon CTF organized by the Dragon Sector team.
The CTF will count towards the CTFtime.org general classification and will be held in the Jeopardy 4-players-per-team formula, with task categories including reverse engineering, low level exploitation, cryptography and web application security.
The total prize pool is 17 000 PLN.
In addition, an online CTF teaser will be run on the 29th-30th of September. The prizes for top teams in the online teaser include reimbursement of accommodation and travel expenses for the main competition. For details, please see https://ctftime.org/event/648.
We invite all conference participants and the top 10 teams from the teaser to participate in the Dragon CTF.
ORGANIZER
SPONSORS
Attractions
RELAXATION ZONE
–
We invite you to play together in virtual reality! VR Project has prepared many attractions for you!
In the VR zone you will be able to try one of the most technologically advanced VR sets – Oculus Rift with Touch controllers. The system allowes you to track the motion and full interaction with the virtual environment. Thanks to that, we guarantee the WOW effect and unforgettable impressions. It will be possible to explore the depths of the ocean, shoot drones somewhere in space, try rock climbing without belaying.
The zone will be available on 19th November from 10 am to 6 pm
Sponsor of the relaxation zone
—–
INTERACTIVE EXHIBITION OF GAMES AND COMPUTERS
„Dawne Komputery i Gry” Fundation organized a zone for you, in which you will find computer equipment from a dozen or so dozens of years ago.
The exhibition is fully interactive – so you can not only watch the equipment, but also play computer games from years ago!
And on what and what will you be able to play?
PONG, Atari 2600, Atari 65XE, Amiga 600, NES, SNES, Nintendo 64, Commodore 64, Nintendo GameCube, Sega Master System II, Sega Mega Drive II and many more.
The exhibition will be available on 19th November, from 10 am to hours 11 pm and on 20th November to 6 pm.
Place and date
ul. Łączyny 5
tel.:22 431 08 00
e-mail: wph@warsawplazahotel.pl
CALL FOR PARTNERS
We’d like to invite you to co-create the Security PWNing Conference 2018!
If you are interested in cooperation or delegating their employees to participate in the conference, please contact Natalia Popiel (natalia.popiel@pwn.pl).
We will be very glad if your company join to our team!