Opis predavanj

Kako hekerji vdrejo v notranje omrežje organizacije?, Boštjan Špehonja, GO-LIX d.o.o.
Uspešnost pri izvedbi notranjega varnostnega pregleda:
• Pri 90% organizacij pridobimo vsaj eno veljavno domensko uporabniško ime in geslo v uri ali dveh.
• V 60% slovenskih podjetjih/organizacijah pridobimo geslo domenskega administratorja v dnevu ali dveh, in si tako zagotovimo popoln nadzor nad uporabniškimi pravicami ter ostalimi domenskimi storitvami.
Pri tem ne uporabljamo metod socialnega inženiringa, ampak se osredotočamo na tehnično izrabo ranljivosti. Kako nam to uspe, čeprav imajo organizacije implementirane najrazličnejše varnostne rešitve? Na predavanju si bomo ogledali najpogostejše tehnike za izrabo notranjega omrežja, kje se skrivajo pasti in kako z logičnim povezovanjem manjših nepravilnih konfiguracij, izkoristimo notranje omrežje organizacije.

Internet stvari (IoT), ki temelji na arhitekturi spletnih vmesnikov pametnega doma ali podjetja, Žiga Podgoršek, Inštitut za korporativne varnostne študije
V predavanju bodo predstavljeni vidiki etičnega hekerja na tehnologijo implementirano v pametnih hišah in podjetjih, ki temelji na IoT napravah. Predavatelj, Žiga Podgoršek, bo uporabil nekaj primerov iz lastnih izkušenj in poskušal prikazati, kako je v praksi implementirana omenjena tehnologija in kjer so njene največje šibkosti ter kako jih regulirati. Spoznali bomo, da se kar nekaj ranljivosti povzroči zgolj z nepravilno implementacijo in z nezadostnim poznavanjem mrežnega segmenta s strani implementacijskih ekip. Prikazane bodo največje napake, ki se v praksi pogosto dogajajo, kako se veliko nepravilno implementiranih naprav prosto pojavlja v spletu, kjer čakajo, da jih zlonamerneži tako ali drugače izkoristijo.

Kako si pri informacijski varnosti pomagamo z umetno inteligenco?, Jurij Kodre, Deloitte
Strojno učenje in avtomatizacija procesov sta v zadnjem času ključna oblikovalca novih poslovnih modelov. Z njimi lahko izboljšamo učinkovitost preventive in odkrivanja varnostnih vdorov, omogočajo hitrejše odkrivanje vdorov ter hitrejši odziv in končno – zmanjšamo odvisnost od omejene strokovne delovne sile na tem področju. Pripravili bomo tudi nekaj primerov varnostnih lukenj, ki jih prinaša zastarela tehnologija in nepoznavanje varnostnih groženj.

Vulnerability Research in Large-Scale Systems, Jannis Kirschner, Independent Security Researcher
As our society faces a digital transformation, not only the amount of data is growing exponentially, but also our software products are rapidly increasing in size.
As an example, early 2019 the Swiss government released source code for their electronic voting system as part of a mandatory public intrusion test. Hackers from all around the world were invited to try and find vulnerabilities in this bug-bounty program. The codebase itself contained over 250’000 lines of Java code and, as a microservice architecture, was distributed over several interactive modules.
Naturally the analysis of complex systems involves its own challenges and problematics.
In this talk we are going to look at how to approach large-scale systems, what restrictions can harden bounty-hunting for researchers and how to find vulnerabilities in massive security critical applications.

Methodology Of Finding Vulnerabilities In Web Application Source Code, Damjan Cvetanović, RAS-IT
Web applications are today the most common form of applications found in many important and critical systems. The increase in popularity of hacking web apps can be easily seen across multiple bug bounty platforms and programs, but what would be the most precise way to fully test and understand the security of an application? White box approach is probably the best answer and solution to this question. By reviewing every functionality, making smart decisions based on direct known path between user input, variables, functions and vulnerabilities at the end becomes not just a mandatory skill, but also a fun way to discover new vulnerabilities!

Hekanje in zaščita sodobnih alarmnih sistemov, Črt Uršič, Fakulteta za varnostne vede UM
Vedno več slišimo o zaščiti informacijskih sistemov in informacij. Od programske zaščite z najmodernejšimi pristopi stojnega učenja za zaznavo napadov, najmodernejših šifrirnih algoritmov, uporabe kvantnih računalnikov, pa do zakonskih ukrepov varovanja podatkov, kot je GDPR. Vendar pa vemo, da je informacijski sistem varen le toliko, kot njegov najšibkejši člen.
Kaj pa najosnovnejša oblika varnosti, ki velja tudi kot ena najpomembnejših potreb ljudi: »Fizična varnost«? Ali pa naprave, ki jih uporabljamo za naše varovanje?
V predstavitvi si bomo ogledali najpogostejše vrste napadov, ki se uporabljajo za vdore v brezžične naprave, kot so npr. alarmni sistemi. Ogledali si bomo tudi rezultate testov najbolj prodajanih nizko cenovnih alarmnih sistemov, in na kaj moramo biti pozorni pri nakupu takega sistema.

Medical Device Security: Please (don’t) be patient!, Julian Suleder, ERNW Research GmbH
Digital networking is already widespread in many areas of life. More and more medical devices are networked in the healthcare industry. The security of these devices will play a major role in the future, which the German Federal Office for Information Security (BSI) also shows in the 2018 report on the situation of IT security in Germany based on the steadily increasing product range of smart medical devices. Acccording to the BSI, this is underlined by the increasing number of attacks on these devices with potential threats to patient safety.
The German Federal Institute for Drugs and Medical Devices (BfArM) publishes statistics on risk reports from medical devices annually. For 2017, these statistics result in 7404 incidents of active medical devices, popularly called medical devices, that could have endangered the life of a patient or user. The cause of these incidents can rarely be fully determined since these are not beyond doubt of the specific threat, e.g. Burn or overdose is traceable. Our research shows that medical devices that perform critical tasks only have basic security mechanisms. In the clinical environment, these include medication pumps, anesthetic devices, implants or large medical devices, such as CT and MRI. All of these devices have in common that they exchange sensitive health data to work as a unit.
Especially in the clinical environment, the complex and critical area of application, as well as the long service life and intensive use of the devices, is a serious problem, since the security mechanisms are usually not designed for this purpose. Weak points in these devices are to be treated particularly sensitively since disclosure must be well thought out and coordinated to keep the potential risk for patients low. A broken or tampered device can pose a massive threat to a patient’s life. Withholding information about vulnerabilities and incidents means that the affected user groups and patients cannot assess the risk themselves until a specific incident occurs. This risk is compounded by the fact that healthcare providers have to rely on information technology to deliver their healthcare services, often relying on outdated technology and insecure network-enabled medical devices.
To counter this trend, the Food and Drugs Administration (FDA) in the USA and the German Federal Office for Information Security (BSI) in Germany published recommendations for manufacturers of medical devices in 2018. These specific aids for the design, implementation, operation, and maintenance of the devices focus on the security of the devices. Particularly noteworthy is that the BSI, in contrast to the FDA, does not orient the necessary security mechanisms according to the medical purpose and the specific risk for a patient, but rather to the mode of use and thus implicitly to the user groups using the device.

Ethics in Network Measurements – Moral obligations of engineers, scientists and hackers, based on example of RIPE Atlas, Vesna Manojlović, RIPE NCC – RIPE Network Coordination Centre
When designing technologies, networked systems, and measurements on the Internet, we must be aware of their implications and consequences for the society and participants. As engineers, scientists, programmers and other experts, we have moral obligations towards our peers, users of technologies we create, and the wider communities.
In this talk I want to talk both about general ethical considerations, and specific examples of moral dilemmas that come from building the RIPE Atlas system, and conducting measurements that reveal workings of Internet infrastructure and services.
RIPE Atlas (atlas.ripe.net) is an extensive measurement network, where the vantage points (sources of measurements) are hosted by volunteers: mostly individuals at home, but also some institutions (ISPs, IXPs, academia, various other businesses). RIPE Atlas users are using someone else’s Internet connection to do measurements. In order to recognise ethical considerations surrounding use of RIPE Atlas, we looked both into the historical considerations of engineers and scientists, and into practical constraints users should keep in mind.

Local lateral movement – new threat vector, Mane Piperevski, Piperevski & Associates
In order to use hacking tools or malware code, hackers need to have them locally where all known threat vectors are worn out. This lecture will show using Microsoft technology against Microsoft OS in lateral movement and ways to defend against this threat, new threat vector.

Napolnite si svoj Inbox 🙂

SEZNANITE SE Z VSEM, KAR PALSIT PONUJA.

Darilo: ob prijavi dobite dostop do 5 najbolje ocenjenih video vsebin z naših dogodkov.