DC 0471

Talk #1: Vulnerabilities in Blockchain

Shobha Jagathpal, Walmart Labs

Bio: Shobha Jagathpal has spent over 19 years on various information technology disciplines, focusing primarily on enterprise application development and consultation. Over the course of her career, Shobha has held increasingly engineering and management roles. As an information security practitioner, Shobha has extensive experience in Public Key Infrastructure, Web services security, Identity and Access Management, Incident and Event Management, Compliance Assessment, Vulnerability Assessment, Risk Assessment, GRC application customizations and integrating security tools to build enterprise solutions. She has managed all aspects of Software Development Life Cycle delivering world class products.

Abstract: Adoption of Blockchain has increased globally addressing various use cases referred to as Smart Contract apart from the main stream crypto currency use. As a result there has been increase in the Blockchain implementations involving various technologies so are the vulnerabilities introduced by developers from this implementations. Starting from the crypto layer, list of vulnerabilities associated with block chain will be presented with a show case of exploit impacting entire implementation of a Smart contract based Blockchain loose stakeholder trust.

[Slides]

Talk #2: A Brief Synopsis of Cyber security research on Connected Vehicles

Chris Dickman, Nissan Motor Corporation

Bio: Chris is the Business Information Security Officer for the Connected Car and Engineering division of Nissan Motor Corporation. As a cybersecurity professional working for one of the largest auto manufacturing companies, he understands the importance of identifying, remediating, and articulating cybersecurity risks for vehicles, applications, and infrastructure used by millions of customers and employees in all corners of the globe. Chris in an expert in reverse engineering cryptographic algorithms, vehicle inter-domain hardware connectivity and radio frequency control systems. His passion and motivation is driven by "real-world" attack methodologies with a focus of demonstrating actual cybersecurity risks within vehicles, for the safety of the industry and most importantly autonomous functions for the greater good. Chris is a Computer Science major with strong emphasis on software defined radios and is a contributor/member of OWASP. A technical leader, backend software engineer and exploit developer who has worked on multiple cybersecurity research projects for various companies in the public and private sectors. Chris is also certified as a GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) issued by SANS.

Abstract: The hour presentation will deliver an overview of various vehicle connected services architectures from a professional cybersecurity researcher's perspective who works for a major automotive OEM. The researcher will take you on a walk down topics of methodology, researching environments and illustrate various industry wide attack vectors.

[Slides]

Talk #3: DETECT INSIDER THREATS USING BLOCKCHAINS

Nishit Majithia, Walmart Labs

Bio: Nishit Majithia is currently working as a security penetration tester at Walmart Labs, India. Earlier Nishit was a software developer in InfoSec Walmart Labs India team. Nishit has sound knowledge of java and c, c++, go and python. All fundamentals like operating system, data structures, database, network are very well familiar to Nishit. During the internship time of his B.Tech degree, he contributed one payload in ISRO's IMS-1A satellite. After getting M.Tech degree in Cyber Security area from IIT Kanpur, Nishit developed his curiosity in this security research field and that gave him the opportunity to represent himself in DefCon-2018 India Chapter.

Rohit Sehgal, Walmart Labs

Bio: A Security enthusiast with sound knowledge of Linux binary exploitation and web penetration testing. I love to play with secure systems and always tries to find innovative ways to crack systems. MTech from IIT Kanpur with specialization in System Security. Have experience in Cyber Security Lab IIT Kanpur and System Security team Samsung R&D centre Delhi. Currently working in Infosec team @Walmartlabs India.

Abstract: Many environments deploys database systems which are administered by centralized authority. Theauthority is capable enough to make modifications to database entries that goes unnoticed withmodification of access logs. These kinds of threats are Insider threats where the person having soundknowledge of internal network and administrative access can fiddle with the data. Logging does notproves to be a good way to detect such threats as attacker having access to the host can tamper thelogs accordingly.

In this paper we are going to present a techniques where the unauthorized changes made by attackercan be identified within a database system by minor changes to it. The idea extends the the tamperresistant behaviour of blockchain that adds meta-data (we call this meta-data as token) to each row todetect insider access. The technique have been implemented & tested with dummy HR managementapplication in which access to the entries is restricted with policies.

[Slides]

Talk #4: Polluting the DB connection: Connection string injection attacks

Anjana Sathyan, CloudSek

Bio: Anjana is a security Researcher at Cloudsek. She has over 2 years of experience in the cyber security. She loves painting and travelling.

Abstract: SQL injection is one of the most dangerous attacks existing in modern universe due to its high impact upon successful exploit. Proper input validation and use of parameterized queries help developers mitigate this issue successfully. However, the same injection vulnerability can be exploited using connection strings as well. The fact that a coordinated effort between developers, database vendors and system admins is required to mitigate this vulnerability increases the potential of this attack. The paper will explain the injection attacks that can be performed using connection strings. It will take you through various injection scenarios, injection vectors and a demo showcasing the attack. The paper is concluded with the mitigation strategies for the attack.

[Slides]

Talk #5: Reactifying Javascript - Insecurities And Secure Coding Practices

Jithin K S , Synopsys

Bio: Jithin is a security consultant at Synopsys. He has over 4 years of experience in the cyber security. Currently he is focused on security research of front end technologies like JavaScript, angular, react etc. He holds a Master's degree in Cyber Security and Information Assurance.

Kajal Krishnan G, Synopsys

Bio: Kajal works as an Associate Security Consultant at Synopsys. She holds a bachelor’s degree in computer science. Currently she is focusing on security research of various languages, frameworks and exploring cybersecurity. She loves trekking, badminton and travelling with no particular purpose.

Abstract: React is a JavaScript library for building user interfaces. Being a young framework, the platform has gained significant popularity among developers and is one of the preferred choices for front stack development. Despite its popularity and increased usage, very less amount of research is focused on secure coding practices for react. This paper tries to gain insights on what are the existing vulnerabilities present in react-js and their corresponding secure coding practices. Additionally, a demo showcasing the comparison of existing open source static analysis tools based on their efficiency in identifying these vulnerabilities.

[Slides]

Talk #6: Getting Started in Infosec with CTFs

Rahul R, Activbytes Technologies

Bio: Rahul is a Security Consultant at Activbytes technologies with 2 years of experience. He is also a CTF player, a bug bounty hunter and has interest in Redteaming.

Abstract: The talk is about how someone with little to zero knowledge in Information Security can gain a foothold in the Industry , Also a brief intro on different kinds of CTF and how to approach those challenges and how to even get a job from playing CTF's.

[Slides]

Talk #7: How do I pwn you

Vignesh C, KGISL

Bio: He has a few security hall of fames and a few CTF wins. He has worked on a wide range of topics in security, some of them include Red teaming, Infrastructure Pentest, Purple Teaming, Forensics and Incidence Response, Cyber Threat Intelligence, Cyber Footprint Assessment, Application Penetration testing .He has presented in various international conference including Balccon.

Meshach M, StrongBox IT

Bio: He has 4 years of experience in the Information Security field. Specialized in Web App, Network and Infra Testing. Good Knowledge in AWS and WAF. Currently working in a Startup called StrongBox IT located in Chennai.

Abstract: The core theme of presentation is all about pwning techniques and how big companies pwning up end users indirectly. The paper going to cover up following topics. Biometric collection of data and how it will be abused. Systematic and nonsystematic collection of data by the companies. How data collection which is done at past will be used for advertisement.

[Slides]

Talk #8: Router Firmware Reverse Engineering & Backdooring

Adithyan AK, OWASP Coimbatore

Bio: Adithyan AK is an Independent Security Researcher and a Public Speaker. He is the CEO and Co-Founder of StuxNoid. Adithyan AK has been acknowledged by Intel, Avira, AT&T, IIT Madras, VU University and many other companies for finding security vulnerabilities in their applications. He has delivered Guest Lectures on Ethical Hacking and Penetration Testing at various workshops and conferences including IIT Madras and Hindustan University(Chennai). He is Chapter Lead of Open Web Application Security Project Coimbatore Chapter. He has been into Information Security right from the age of 13 and has worked along with various Security Researchers for securing Web Applications. He has published his research papers on Remote Code Execution in Web Applications and Sniffing HTTPS in LAN by ARP poisoning. He has conducted Workshops on Ethical Hacking in Chennai and Vellore and delivered Guest Lectures for various colleges around Tamilnadu.

Abstract: The firmware of TP-Link router is downloaded from the internet. The reverse engineering of the firmware is done with binwalk and firmware-mod-toolkit. After extraction, a suitable payload is generated via Metasploit based on the firmware in suitable elf format. After payload generation, the payload is binded with /etc/init.d file or with any other scripts in that directory. The modified firmware is finally compiled and put together. After the flashing of the firmware in the router, the msf reverse shell is obtained from the router to the attacker machine and a command shell is opened.

[Slides]

Talk #9: ELK - Go beyond log monitoring

Aravind Prakash, HackIT Technology and Advisory Services

Bio: Aravind is a Security enthusiast working as Security Analyst at HackIT Technology and Advisory Services. He has 1 year experience in InfoSec. He holds a Bachelor’s degree in computer science. He worked in computer networking for 1.5 years. He loves travelling.

Abstract: ELK (Elasticsearch, Logstash, Kibana) Stack traditionally a log monitoring system. It is used for infrastructure monitoring with help of logs from different devices and services that are configured to send logs to the centralized ELK server in the infrastructure. With ELK we can look beyond log monitoring. Since the working of ELK is that, its process any file that is feed into the processing stream. We can filter that file to ours need. Because of this ELK can deal with any file format that is not a necessarily log file. Let’s take example, if we are doing a port scan with nmap and created an output file for the result , this file can be added into ELK and we can visualize the output in kibana for different parameters of the output. Nmap is a single example, any tool that can create an output can be added into ELK. We will go through how easy is to configure ELK and how to configure it for your various scanning tools.

[Slides]

Track 2: CTF

Capture the flag: organized by Red Team Village

https://redteamvillage.org

Red Team Village is a community driven combat readiness platform for Red teaming and Cyber security attack simulation. This community is managed by a group of cyber security and red team tactics enthusiasts. We can consider this as a platform to share tactics, techniques, and tools related to various domains of adversarial attack simulation. Red team village will be conducting workshops, talks, demonstrations, open discussions and exercises.

There will be a quick session about CTF competition with real world scenarios. Winners can go home with cool goodies.