Programme

Walter Fraißler, Florian-Sebastian Prack & Paul Mader | VERBUND

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Johann Stockinger | T-Systems Austria

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Alexander Tauber, Stefan Pfeiffer & Mikail Bulduk | Accenture

Increased complexity in corporate networks requires that information security is constantly rethought and new tactics are developed to ensure it. One creative approach taken in this paper is to apply tactics from the game Star Craft 2 (SC2) to cyber defense strategies. As a result, you can derive some strategies that are widely known and used.  However, this also offers approaches for developing new strategies that are not yet established in the companies. But not only explicit measures can be derived but also the mindset needed to keep up with others in a competitive environment as well as to critically review and improve required capabilities.

*** Live stream live via YouTube ***

Felix Eberstaller | Limes Security

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Gideon Teubert | K-Businesscom

*** Live stream live via YouTube ***

Stefan Prinz & Daniel Kroiss | KPMG

*** Live stream live via YouTube ***

Daniel Haslinger & Christoph Lang-Muhr | UAS St. Pölten 

*** Live stream live via YouTube ***

Marina Krotofil

In recent years, we have witnessed a growing volume of research on the security of embedded systems used in industrial process control applications, including Programmable Logic Controllers (PLC) and Remote Terminal Units (RTU). This increased interest reflects both the large number of “low-hanging fruit” vulnerabilities, making industrial controllers attractive research targets, and an increased interest from adversaries to subverting industrial processes. To date, research efforts have predominantly focused on firmware vulnerabilities, or bypassing traditional security controls implemented as part of the PLCs software. In this talk, we will introduce a novel exploitation vector, one previously unconsidered in existing works.

More specifically, we will show how PLC programming practices, user APIs, and memory allocation for function blocks from the Library Functions open the door to automated enumeration of PLC control logic, identification of key infrastructure configuration parameters and process control variables, and their consequent targeted manipulation to achieve a desired attack impact. Additionally, allocated but unused memory can be applied to the establishment of covert C2 channels, through which attackers can run standard security tools, exfiltrate data and execute high-precision cyber-physical attacks on previously inaccessible network segments. To keep the story realistic and interesting, we formulate our threat scenario around a realistic industrial network architecture with the advisable security measures, including the integration of network monitoring and segregation from the Internet via firewalls.

The set of proposed exploitation techniques is stealthy and allows for the development of fully automated physical damage payloads of high precision, significantly raising the level of attacker capabilities. The main purpose of this talk is to initiate a discussion around the need for guidance and best practices to support DevSecOps for industrial equipment, which take into account the engineering designs of equipment, and specifics of its usage in cyber-physical applications. Current PLC software designs and programming practices are still largely under-researched. With this talk, we provide an example of their unexplored attack surface and a novel vulnerability class, and invite the security community to further research into the topic.

*** Live stream live via YouTube ***

Thomas Weber | CyberDanube

Every year, numerous big and small incidents in industrial environments, for example in power plants, factories, or in the food supply find their way into newspapers. All those affected industries are backed by highly branched and historically grown Operational Technology (OT) networks. A big portion of such incidents could have been avoided, if network segmentation was done correctly and patches for user devices (not always possible in OT) were installed. Despite such known problems, which also lead to the compromise of traditional IT networks, a bunch of unknown vulnerabilities are unfortunately also present in OT infrastructure. OT in modern factories consists of networked (and smart) devices, especially on level 1, also called the control level, of the Purdue model. Devices, such as PLCs, industrial router/switches, data diodes, and more cannot be easily tested if they are in use by the factory. Therefore, solutions for classification and monitoring from different vendors are in use to not put the running infrastructure at risk.

These non-intrusive ways for getting a picture about the running infrastructure only give a partial overview of the vulnerability landscape in the OT network but cannot detect unknown vulnerabilities. Testing such expensive devices instead of using them is often not desired due to the price, and spare items must be available, which is the reason why those devices can't be touched too. For this reason, digital twins – in terms of virtualization – from the devices in the factory should be created for pentesting purposes. These twins can be built with different tools (open source/ closed source) and  have been used for identifying 0-days during an ongoing research project.

After the creation, the virtual appliances were connected to form a full fletched OT network, to imitate a real industrial environment. Testing those virtual appliances does not harm the real infrastructure, but provides a lot of valuable information about the systems in scope. This was tested in practice during engagements and has been recreated and edited for a talk which also includes vulnerabilities that were discovered during such a test setup.

*** Live stream live via YouTube ***

Claudia Ully | NVISO

Making a quick bank transfer, tracking our next run, sending photos of the kids to their grandparents, or ranting about politics in our private chat group – our smartphones have become a treasure trove for those with malicious intents. Still, awareness of mobile malware threats is still far less prevalent than it is for common computer systems. But how exactly do attackers gain access to mobile devices? In this presentation, we will examine current examples of Android malware and the techniques they use to turn your mobile phone into a nightmare. You will learn when you should get suspicious and what to do (and not to do) to protect yourself from becoming a victim.

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Steffen Robertz | SEC Consult Unternehmensberatung

Electronic Shelf Label (ESL) tags are increasing in popularity. More and more stores switch their price tags to digital ones for various reasons, such as competing with online wholesalers. In this talk, we will show how we analyzed the 433MHz connection of a popular ESL tag and identified multiple security flaws that allowed us to spoof the RF signal and display arbitrary content on the displays. Furthermore, the original manufacturer of the E-Tag labeled microcontrollers was discovered. This talk will give an overview of analyzing unknown hardware with an unknown RF protocol without any prior known research.

*** Live stream live via YouTube ***

Jovan Zivanovic | SBA Research

With the plans of increasing the number of reverse vending machines in Europe, it is relevant to take a look at the implemented security mechanisms of such vending machines [1,2].  Currently, in Austria, most stores provide such machines for the return of glass bottles, however, the government wants to also have an addition of vending machines for plastics. Security plays an important role with these machines, as they exchange the bottles for money and an insufficient security mechanism could allow attackers to practically print money. It is not uncommon for such machines to be targets of malicious actors. [3,4,5] We took a look at the vending machines present in most supermarkets in Vienna and figured out that some machines are not secured enough. In many cases, we found that the generated receipts – used at the cash register to be exchanged for money – are not secure enough. By analyzing several previously printed receipts, attackers can use an ESC printer to create forged receipts.  Furthermore, we tested our attack with one store and were able to exchange our forged receipt for real goods.  Our results show that this is not a single store that is improperly secured, but rather whole supermarket chains. This makes the vulnerability even more severe as, as far as we can tell, it affects whole supermarket chains that provide such reverse vending machines.

*** Live stream live via YouTube ***
 

[1] https://infothek.bmk.gv.at/pfandsystem-fuer-oesterreich-3-punkte-plan/
[2] https://oesterreich.orf.at/stories/3125584/
[3] https://www.sueddeutsche.de/panorama/pfandbetrug-urteil-kriminalitaet-1.4403519
[4] https://www.spiegel.de/panorama/justiz/koeln-betrueger-erbeutet-mit-einer-pfandflasche-44-000-euro-a-1121633.html
[ 5] https://www.schwaebische-post.de/welt/verbraucher/aldi-discounter-betrug-pfand-pfandbon-abzocke-flaschen-trick-polizei-kunden-zr-90005672.html

Christian Kurta | Palo Alto Networks

Twenty years ago, few believed self-driving cars could happen, yet here they are. Will the same principles pave the way towards self-driving security? Christian Kurta explores what an autonomous SOC looks like, why it's needed, and how getting there requires a revolution in innovation. Christian will also detail potential pitfalls along the way.

*** Live stream live via YouTube ***

Michael Strametz | SySS

Hassan Mohamad | Sec-Research

Herbert Dirnberger | IKARUS

Florian Bogner | Bee Security

Darius Beckert & Nicolas Averesch  | XSEC infosec

Markus Gierlinger | Dynatrace

Thomas Wagner & Bálint Szilakszi | willhaben internet service

In a world where the number of cyber threats is competing with the number of security frameworks and solutions, it’s a real challenge to identify and implement the right solutions to counter the risks we are facing. As a fast growing and fast paced online-only company, this challenge is even bigger for willhaben than for others. While willhaben as a company strives to deliver not only great user experience and great user value, it also aims to do this fast, autonomously, and with technical excellence.

Therefore, achieving short time-to-market and an appropriate level of security at the same time requires efficiency, to integrate security deeply into the system development processes and to perform precise risk assessments. This is supported by an agile organisation that builds the foundation for all planning and continuous learning that is required.

Stefan Schubert | Frequentis

Martin Eßlinger | Devoteam Consulting

The protection of data confidentiality and integrity provided by public key cryptography is a  cornerstone of our digital economy. Maintaining data privacy, enabling digital trust relationships, or protecting intellectual property would not be possible without it. Recent advances in quantum computing are creating the ability to break even the strongest cryptographic keys in the near future. This talk will outline who should be concerned most by this development and what should be done to mitigate the threat of losing control over your data.

Philipp Reisinger | SBA Research

Florian Plainer & André Meindorfer | Hackerspace Segmentation Vault

Edgar Weippl | University of Vienna / SBA Research

Esther Seidl & Sebastian Schrittwieser | Universität Wien

Timo Longin | SEC Consult

Harald Gattermeyer | anapur AG