Tel.: (05) 338 48 50|info@palsit.com
HEK.SI 2018 – posnetki konference – kratki 3 min posnetki2019-02-07T12:09:19+00:00

HEK.SI 2018

Utrinki s Konference HEK.SI 2018

Oglejte si, kako smo se imeli na Konferenci HEK.SI, ki se je odvijala 5. in 6. marca 2018.

Kratki posnetki predavanj – HEK.SI 2018

OWASP ZAP Scripting – To Infinity and beyond!

Mane Piperevski, Piperevski & Associates

(Advanced) Android Mobile Application Hacking

Mislav Boroš, INFIGO IS d.o.o.

This presentation will demonstrate some examples of how to efficiently reverse and modify tested Android applications, based on dozens of mobile application penetration tests performed by INFIGO IS. Instead of blindly using different tools, we will get our hands dirty and show how to bypass and intercept custom encryption modes, manually remove different security controls (like certificate pinning and jailbreak detection) and even quickly develop custom testing applications while recycling the original application code.

Kako čim ceneje izboljšati stanje varnosti v podjetju?

Andrej Vnuk, ALEF Distribucja SI d.o.o.

Hackers, Threats and Cyber Defence: the S&T Slovenija approach

Andrej Skamen in Marko Jenko, S&T Slovenija d.d.

Hekerji in eticni hekerji. Napadalci in obramba. Gre za konstantno bitko med dvema stranema, vmes pa imamo uporabnike, njihove podatke in nacin dela z njimi. Predavanje bo prikazalo glavne poudarke te bitke, kot so recimo nekatere tehnike hekanja, kako poiskati in reagirati na grožnje ter kako zgraditi primerno kibernetsko obrambo. Prikazali bomo tudi izkušnje ekipe S&T Slovenija d.d. na podrocju kibernetske obrambe in nekaj primerov.

Core Banking Systems, Crypto coins and other business solutions are under attack

Balázs Hambalkó, Balasec

What is it? You think you own it because you have bought it. But it’s useless for you, thanks for the people’s approach. It’s IT Security at your system! I will be talking about what are the reasons the enterprise level companies/solutions (banks, agencies, Core Banking Systems, Crypto coins, and so on…) are still suffering and are being under (successfull) attack. Based on some true story I encountered in 2017 …

Varnostne ranljivosti, odgovorno poročanje in pametne pogodbe

Gregor Pogačnik, Fundacija SICEH

Pogledali bomo primere ranljivosti v pametnih pogodbah (na Ethereumu) zaradi katerih je “izginilo” več milijonov. Vedno več organizacij ponuja nagrade za odgovorno razkritje varnostnih pomanjkljivosti. Nagrade so včasih le simbolične, drugič pa gre za relativno visoke zneske. Kakšna je realna cena za popolno izkoriščenje določene ranljivosti na sivem trgu, lahko le grobo ocenimo. Je pa številka verjetno pogosto višja od nagrad. Pri pametnih pogodbah po drugi strani točno vemo s kolikšnimi sredstvi imamo opravka. To še toliko bolj poveča izziv, kako motivirati raziskovalce v odgovorno poročanje.

CVE-Scraper 

Alex Conti, Politecnico di Milano

During pentest activity the most painful part is reporting the issues found. We are struggling to improve our reporting method, decreasing in the meanwhile the time we spend on it. We think that in this way it’s possible to focus on the real pentest activity, more useful and a lot more enjoyable! I have an idea to make vulnerability reporting faster and also to make it easy find software vulnerabilities, exploits and remediations. Online there are plenty of sites that make available CVEs for a specific software version and there are also many places where it is possible to find exploits. In order to automate this process I thougth to download and maintain updated some CVE’s databases, indexing vulnerabilities and looking for details offline. Alternatively the search could be made online in real-time, in order to waste the less space possible on disk.

NAT64 eksperimenti v Go6Lab-u in orodje NAT64Check

Jan Žorž, Go6 / Internet Society

As many mobile operators were moving to IPv6 only which is incompatible with IPv4 on the wire, it’s necessary to employ transition mechanisms such as 464XLAT or NAT64. The Go6lab NAT64/DNS64 testbed was therefore established so that operators, service providers, and hardware and software vendors can see how their solutions work in these environments. This has already generated significant interest, and instructions on how to participate are available on the Go6lab website.

Designing practical Audit Trails in Oracle 

Pete Finnigan, Oracle Security specialist

Pete will present the situation faced by most DBAs. An Oracle database that has limited audit trail settings provided by Oracle by default. These settings have been enabled since version 10.2 but do they work” do they provide accountability? – lets see. Pete will breifly introduce two web applications that are developed with Oracle as the back end and show how during hacking the applications and revealing such details as credit card numbers (PCI)c and customer details (GDPR) how well Oracles default audit trails perform; do they catch the actions performed, can we detect what happened and by who.

Zlorabe in pasti blockchain sveta

Tadej Hren, SI-CERT

onyx – unique search engine that crawls entire web and identify outdated platforms

Primož Cigoj, Institut Jožef Stefan

Onyx is a solution to create a unique search engine that crawls entire web with one and only purpose to index current running software version and identify outdated ones. Based on the security hole and indexed version of the software would be possible to assess the potential damage. Owners of the websites who are running vulnerable software could be warned to update their software. 

Problematika posesti dokaznega gradiva v elektronski obliki 

Tadej Stergar, Inštitut za forenziko informacijskih tehnologij

Zloraba shranjenih profilov wifi omrežij

Andraž Jelenc in Anže Nunar, FRI in FMF

Življenje bi si danes težko predstavljali brez brezžičnega interneta. Omogoča nam, da lahko pošiljamo elektronsko pošto in brskamo po spletu brez, da bi za seboj vlekli mrežni kabel. V prihodnosti se bo pomembnost te tehnologije le še povečala, saj bodo prek wifija komunicirali tudi vodni števci, hladilniki in srčni spodbujevalniki. Velik del brezžičnih omrežij predstavlja wifi, katerega varnost v veliki večini temelji na varnostnih protokolih WPA (v preteklosti WEP). Vendar pa nam to prav nič ne koristi, če se naprava samodejno poveže na dostopno točko v napadalčevi lasti. 

Bo leto 2018 prelomno za kibernetsko varnost v Sloveniji?

Gorazd Božič, SI-CERT

Hekerski vdori in nov zakon o informacijski varnosti

Gregor Potočnik, član delovne skupine za pripravo zakona o informacijski varnosti

Darktrace, the enterprise network immune system developed by leading mathematicians and ex-government intelligence specialists has arrived to Slovenia. The Darktrace Enterprise Immune System technology detects and responds to previously unidentified threats, powered by machine learning and mathematics developed by specialists from the University of Cambridge.

How we introduced NIS Directive into Croatian legislation?

Jurica Čular, Croatian Goverment’s CERT

On May 9, Croatia will, along with other EU member states, introduce new cyber legislation as a result of NIS Directive transposition. Creating a policy in dominantly non regulated environment was a challenging process that involved many stakeholders with different cyber awareness potential. This talk will bring insight into key stakeholders involved with new policy and detailed explanations of Croatian approach used to tackle with key NIS Directive demands.

Why everybody should do CTF/Wargames?

Miroslav Štampar, Croatian Goverment’s CERT

Vsa podjetja se trudijo, da zagotovijo čim boljšo varnost svojih IT sistemov. Ocenjujejo tveganja, nameščajo varnostne popravke, trudijo se z varnim programiranjem aplikacij, vzpostavljajo zaščitne in nadzorne sisteme za preprečevanje ter zaznavo vdorov, itd. Ali so ti ukrepi dejansko uspešni, se najbolje preveri s simulacijo napada, ki uporablja podobne tehnike, kot bi jih pravi napadalci. Tema predavanja je organizacija penetracijskega testa: kako izbrati sisteme za preverjanje, kaj naj penetracijski test obsega, kateri so najpomembnejši kriteriji pri izbiri izvajalca ter kako uporabiti ugotovitve in priporočila, ki jih dobimo od izvajalca testiranja.

Human Firewall

Gorazd Rolih, Slovenska vojska

Informacijska tehnologija je danes z nami praktično povsod. Precej nam je olajšala življenje, po drugi strani pa nas tudi ogroža. Kakšno vlogo imamo pri tem ljudje, bo poskušal ugotoviti major Slovenske vojske Gorazd Rolih, ki že vrsto let dela na področju informacijske varnosti in ga med drugim zanima tudi psihološki vid.

The PENtesting is mightier than the sword

Matija Verić, Atia Consulting

The PENtesting is mightier than the sword – We will cover why is Penetration testing important, what are the prerequisites for both, a customer and a penetration tester, to make the best out of the project. Furthermore, we’ll be showing selected information from the real cases.

Protislušni pregled

Aleš Ažman, Detekta d.o.o. in Tibor Tajnšek, Detektivsko Varnostna Agencija Dva Fokus d.o.o.

– Hollywood ali realnost?

– Protislušni pregled (Technical Surveillance Counter Measures (TSCM) )

– INFOSEC & TSCM –

Naprave za prisluškovanje in snemanje –

Izvajanje pregleda

The experience of CERT-UA in cyber threat counteraction 

Yevheniia Volivnyk, CERT-UA

Presentation of CERT-UA team activity. APT attacks on the information systems of Ukraine. Cyber Incident Response Center.

My toaster is a criminal 

Urban Suhadolnik

Zakaj je varnost v IoT in ostalih embedded napravah pomembna in kakšne so posledice, če (ker) se tega ne držimo?

“Meglena” tehnologija

Elijah Hlastan in Žiga Deutschbauer, Fogy Tech

Have you ever sat in a café and logged onto Facebook? Maybe your bank account? Did you ever wonder who else was logging on with you, watching what you do, stealing your credentials? As hackers, we think about these problems regularly. Which is why we are creating a product to protect individuals from data theft. Come and interact with us as we present our product in development, and share your ideas with us as we work to build a safer browsing experience for others. The world of cyber security is strange and uncertain. You could almost say the future is a bit FOGy.

Kako lahko pred hekerji in izsiljevalskimi virusi zašcitite svoje lastno okolje?

Miha Pihler, Mikeji d.o.o.

OKROGLA MIZA: Kakšen zakon potrebujemo v Sloveniji za zaščito pred hekerji?

Tadej Vodopivec, Comtrade d.o.o. 
Gregor Potočnik, član delovne skupine za pripravo zakona o informacijski varnosti
Boris Vardjan, SKB d.d.
Matej Kovačič, Institut Jožef Stefan
Boštjan Kežmah, CEPRIS d.o.o.

  • Kakšen zakon potrebujemo v Sloveniji za zaščito pred hekerji?
  • Kakšni so novi zakoni, ki prihajajo na tem področju?
  • Komu poročamo o hekerskih vdorih po novem ZVOP-2 (GDRP) in komu poročamo po ZIV (novi Zakon o informacijski varnosti)?

Želite dostop do celotnih posnetkov?

Za ogled celotnih posnetkov konference HEK.SI 2018 morate zakupiti dostop do spletnega portala.

KLIKNITE TUKAJ