The second BSides Conference in Umeå, Sweden will take place June 4th to 5th. It is a community conference on IT security and related fields, part of the global BSides communit and is arranged by Academic Computer Club in Umeå
Late registration is open as long as we have seats, but the registration does no longer include dinner as of 2024-05-22. There will also be a limit to how many more seats we can fit for lunch, and any dietary concerns might no longer be possible to handle.
The first event took place in 2023: https://indico.neic.no/event/244/
The Tuesday keynote on June 4th will by Beau Bullock on Graph Theory: Unveiling the Microsoft Entra ID Post-Exploitation Landscape.
For more interactions and micro updates, follow us on Mastodon or join our slack server
Welcome and practical matters for BSides 2024
In today's cloud-driven landscape, Microsoft Azure and 365 (M365) have become essential tools for businesses worldwide. However, beneath their user-friendly facades lie a landscape rife with potential threats stemming from default configurations. Through years of attacking Microsoft cloud environments during red team engagements I have found commonalities across many companies where overlooking default settings have left them vulnerable.
Very recently I released a new post-exploitation tool for Microsoft Entra ID accounts called GraphRunner. This tool leverages the Microsoft Graph API, which is a fundamental piece of infrastructure for much of Microsoft 365 and Azure. I will demonstrate how this API can be leveraged to perform post-exploitation of a Microsoft Entra ID account to perform reconnaissance, establish persistence, escalate privileges, and ultimately pillage data from services such as SharePoint, Teams, and email.
Throughout the talk, I will present real-world examples that underscore the critical importance of proactive defense. These demonstrations will be supported by practical, hands-on showcases featuring custom-built tools crafted specifically for these targeted attack scenarios.
Passwords are out! So of course you do not need to manage them anymore. Passkeys, on the other hand, are the talk of the town as well as the topic of this talk.
If you have heard about passkeys before and are curious to know more about them then this talk has got you covered. If you haven’t heard about them before but want to stay a jour, then this talk is a must.
This talk will be a crash course into WebAuthn and Passkeys and provide you with everything you need to know to start supporting it in your own applications.
EISCAT Scientific Association are currently building EISCAT 3D, the next generation research radar on the Northern European mainland.
This is a research infrastructure that will significantly enhance the capabilities of ionosphere and near Earth space research. The design and complexity of the system rise challenges that are new to our research communities but more commonly encountered in particle physics and radio astronomy. In adddition to that there are also new issues related to EISCAT 3D being a multistatic antenna array system.
Ever since the introduction of chroot() in the late 70s the concept of jailing locking down services have been a choice for the security minded to introduce damage prevention to their services. It's always better to write secure services rather than just locking them down, but it's not always possible, and the addition of jailing can be a good second line of defence against unknown vulnerabilities in your services.
The options for jailing have come a long way since the introduction of chroot() and in a modern Linux kernel there are multiple different and competing ways to lock down a certain service. Some of them, like namespaces, ways got popularized by container technologies like Docker, but most of them are useful in more contexts than just containers.
This will talk will give a overview of those technologies and how they can be added on to a service with the help of systemd without no or almost no changes to the service itself, making it especially helpful when trying to secure legacy services and third party code.
django-ca is a feature rich certificate authority written in Python and maintained for around 10 years. As I write this talk submission, I am working with the maintainer to add HSM support to the application, so that it can be used inside of Sunet and various other security sensitive installations.
A related blog post: https://kushaldas.in/posts/django-ca-hsm-and-poc.html
Talk outline:
main
branch)A decade ago, the Mirai DDoS botnet was the biggest seen with a capacity of roughly 600 Gbit/s packet floods. The week after the high-profile attack on krebsonsecurity, they pointed the direction at a Libera Chat (at the time known as "Freenode") IRC server hosted by Academic Computer Club at Umeå University.
This talk gives a brief overview on how the network providers SUNET and NORDUNet mitigated the impact so that the University as a whole was unaffected, and only the targeted server and the computer club saw minor glitches in external connectivity.
THIS WORK HAS BEEN ACCEPTED AND PRESENTED AT IEEE SECDEV 2023
Android is an operating system widely deployed
especially on devices such as smartphones. In this paper, we study
the evolution of OpenJDK Java Class Library (JCL) versions
used as the basis of the Dalvik Virtual Machine (DVM) and
the Android Runtime (ART). We also identify vulnerabilities
impacting OpenJDK JCL versions and analyze their impact on
Android. Our results indicate that the complexity of the Android
JCL code imported from OpenJDK increases because: (1) there is
an increase in the number of classes imported from OpenJDK,
(2) there is an increase in the fragmentation of the JCL code
in Android as code is increasingly imported from multiple
OpenJDK versions at the same time, and (3) there is an increase
in the distance between the JCL code in Android and OpenJDK
as, for instance, Android developer introduce customizations
to the imported code. We also observe that most OpenJDK
vulnerabilities (80%) are not impacting Android because the
vulnerable classes are not imported in Android. Nevertheless,
Android does import vulnerable code and little is done to patch
this vulnerable code which is only ”patched” when a newer
version of the vulnerable code is imported. This means that the
code can stay vulnerable in Android for years. Most of the vul-
nerabilities impacting Android (77%) have a security impact on
the availability of the system. By developing a proof-of-concept,
we show that OpenJDK vulnerabilities imported in Android do
have a security impact. We suggest to seriously take into account
public information available about OpenJDK vulnerabilities to
increase the security of the Android development pipeline.
and creates many new ones. The federation team at SUNET manages the Swedish identity federation for higher education (SWAMID). We are also involved with the eduGAIN inter federation and in some new EU projects looking into Verifiable credentials as basis for a digital wallet. Another area of development is OpenID Federation, an extension to OIDC to allow federation. This will allow us to hook VC's into an existing trust framework. I will give overview of what we have managed to build, what's next and what new capabilities this gives.
Should law enforcement use hacking tools? Is XSS dead? And which one is the greatest threat to security: AI or the EU?
In this session our panelists will tackle controversial topics with their wit and wisdom, from hacking ethics to encryption, privacy and those lazy programmers.
Insecure deserialization is regarded as one of the OWASP Top 10 software vulnerabilities. While requiring somewhat complex exploitation prerequisites, the impact of exposing this type of vulnerability is severe, often leading directly to remote code execution. The attack model is based on self-executing methods, invoked during the native deserialiaztion process - so-called gadget chains. Within the Java programming language this mostly refers to the invocation of readObject(). Serializable classes may override this method to implement custom deserialization logic, and thereby call further seemingly harmless methods. In our presentation we show how an attacker can leverage this to construct a chain of method invocations leading to undesirable effects. Furthermore, we analyzed and show how deserialization vulnerabilities rely on gadgets contained in third party libraries, affect latest JDK and library versions, and how one can use this information to gain visibility on the issue and harden Java applications.
This lighting talk will showcase some dangers of technology on human society, from history to modern time.
Memory corruption vulnerabilities still allow compromising computers through software written in a memory- unsafe language such as C/C++. This highlights that mitigation techniques to prevent such exploitations are not all widely deployed. In this paper, we introduce SeeCFI, a tool to detect the presence of a memory corruption mitigation technique called control flow integrity (CFI). We leverage SeeCFI to investigate to what extent the mitigation has been deployed in complex software systems such as Android and specific Linux distributions (Ubuntu and Debian). Our results indicate that the overall adoption of CFI (forward- and backward-edge) is increasing across Android versions (∼30% in Android 13) but remains the same low (<1%) throughout different Linux versions. Our tool, SeeCFI, offers the possibility to identify which binaries in a system were compiled using the CFI option. This can be deployed by external security researchers to efficiently decide which binaries to prioritize when fixing vulnerabilities and how to fix them. Therefore, SeeCFI can help to make software systems more secure.
In my talk, I'll dive into the world of game-based learning in cybersecurity, showcasing HackBack - a unique framework that blends role-playing game elements with security training. I'll explain how HackBack revolutionises traditional methods by providing immersive, risk-free simulations of security situations, both offensive and defensive, making it ideal for teaching concepts like Zero Trust and enhancing teamwork and empathy among participants. We'll explore the open-source nature of HackBack and how it fosters a community-driven approach to cybersecurity education, making it accessible and adaptable to various settings. Join me to discover how game-based learning is a crucial, yet often overlooked tool in developing effective security professionals.
I'll host a game of HackBack, an Incident Response role-playing game, loosely inspired by Dungeons & Dragons.
Dive into HackBack at BSides Ume, where cybersecurity meets the intrigue of Dungeons & Dragons. Picture this: a world where you combat cyber threats not with mouse clicks, but with the cunning of a rogue and the wisdom of a wizard. This isn't your average workshop; it's a crash course in digital defense, served with a side of adventure and a sprinkle of wit.
Why just talk about Zero Trust when you can live it, battling digital dragons and forging alliances along the way? Our HackBack session is more than just rolling dice; it's about rolling up your sleeves and diving headfirst into the cyber fray, all while laughing in the face of danger.
Join us at BSides Ume for a unique blend of learning and levity, strategy and silliness. It's time to level up your cybersecurity skills in the most entertaining way possible. Let's HackBack together and show those cyber threats they've met their match!
In this workshop we will learn how to write Python modules in Rust. Starting from python cryptography module, to various other parts of the Python ecosystem now has tooling written in Rust.
The main reason is having secure code than C/C++ based extension modules we had so far.
The participants will not need any prior Rust experience, we will work on top of a git repository and keep changing branches to learn new features.