General Information

The computer security community from Hamburg and North Germany will meet on November 17th, 2023 at Haus des Sports, Schäferkampsallee 1 in Hamburg, near U-Schlump station.

If you haven’t been to Elbsides 2019 - see what you missed and watch the talks on YouTube: Youtube channel

Program

Preliminary program, subject to change. You can also jump to the talks directly or speaker bios.

You can find the videos of the talks by clicking through to the talk or by going to the playlist on YouTube.

Time	Speaker	Title
13:00	Dr. Morton Swimmer	Conference opening
13:10	Prof. Dr. Simone Fischer-Hübner	Keynote: 40 years Census Decision: The census and understanding privacy protection in the transition of time
13:40	Jasmin Mair	My CI/CD pipeline contains all security tools available! Now what…?
14:10	Lukas Mika	Secure Supply Chains, Secure Containers
14:40		Break
15:00	Adina Bogert-O’Brien	A beginner’s guide to SSO (mis)configuration
15:30	Christian Kollee	You are (not) prepared - A ransomware story
16:15		Break
16:35	Nick Mahling	Reverse Engineering of Intel’s Branch Prediction
17:05	Attila Szasz	Broadcom router SDK vulnerabilities - the uncomfortable reality of the IoT Linux kernel space
17:50	Florian Junge	Closing remarks
18:00		Networking Hour
19:00		End of conference

Speakers

Prof. Dr. Simone Fischer-Hübner

Simone Fischer-Hübner

Simone Fischer-Hübner is a Guest Professor at Chalmers University of Technoloy and has been a Full Professor at Karlstad University since June 2000, where is the head of the Privacy& Security (PriSec) research group. She received a Diploma Degree in Computer Science with a minor in Law (1988), and a PhD (1992) and Habilitation (1999) Degrees in Computer Science from Hamburg University. She was a Guest Professor at Copenhagen Business School in 1994/1995 and Stockholm University / Royal Institute of Technology in 1998/1999. Moreover, she was awarded an Honorary Doctorate by Chalmers University of Technology in 2021. She has been conducting research in privacy, cyber security and privacy-enhancing technologies for more than 35 years. She is member of Cybersecurity Council of the Swedish Civil Contingency Agency (MSB), board member of the Swedish Data Protection Forum and member of the board for the Privacy Enhancing Technology Symposia (PETS).

Jasmin Mair

linkedin.com/in/jasminmair/

Jasmin is an experienced application security professional and Global Product Security Manager at Leica Microsystems. She gained extensive experience in organizing and implementing secure development programs, DevSecOps, and secure SDLC across different clients while working as a consultant. Her passion is to build bridges between cross-functional teams and finding new ways to improve collaboration. She likes working with people and technology, this has been the constant in her professional career and education.

Lukas Mika

Lukas Mika started his career in the IT industry as a Software Developer, Solution Architect and IT Consultant. Following his passion of IT Security, he took the opportunity to become a Security Architect. In this position he drove the Application Security initiative at his former employer. In 2022, he joined Maersk’s Cyber Architecture Team as a Lead Cyber Architect for Application Security, where he now focuses on the Secure Software Development Lifecycle vision and its implementation across the enterprise.

Christian Kollee

@ckollee@infosec.exchange

Christian currently works as a Network Detection Engineer in the German finance sector. Previously, he worked as a forensic analyst and incident handler in international organizations and medium-sized German businesses. With more than ten years of experience in IT security, Christian knows the IT security problems from medium-sized companies to DAX30 corporations. Besides learning about new attacker tools and techniques, he tries desperately to reduce his ever-growing stack of articles and books in his spare time.

Nick Mahling

linkedin.com/in/nick-mahling-1850351b1/

Nick Mahling is an IT-Security master student at the University of Lübeck where he graduated with a bachelor’s degree in 2023. He also works as a Research Assistant at the Institute for IT-Security at the University of Lübeck. Nick is particularly interested in reverse engineering, CPU microarchitectures and hiking.

Attila Szasz

linkedin.com/in/attila-szász-086abb122/

Researcher in computer security, reported vulnerabilities in Google Chrome, Intel DRM technologies, ASUS routers, SONY consumer products and even Ghidra. Founder and general manager of BugProve, an IoT security solution provider.

Adina Bogert-O’Brien

Adina Bogert O'Brien

WWW: discontinuity

@discontinuity@infosec.exchange

Hey, I’m Adina! I am incessantly curious, work in renewable energy, and sometimes find vulnerabilities when I’m bored. I co-founded a hackerspace over a decade ago but have only just accepted that security is more than a hobby. At work, I’m a business architect with security leanings working in knowledge management for a major renewable energy company.

Talks

Opening

Speaker: Morton Swimmer

40 years Census Decision: The census and understanding privacy protection in the transition of time.

Speaker: Simone Fischer-Hübner

Slides: PDF

In 1983, the German Constitutional court stopped in its census decision the planned census, which according to the court was violating the individual right to informational self-determination. The court required a clear purpose limitation of census data as well as the requirement that census data must be (effectively) anonymized. While for the 1987 census, the German government and Census Bureau assumed that deleting directly identifying personal identifiers, such as name and address, would be sufficient for anonymisation, Klaus Brunnstein and Simone Fischer-Hübner demonstrated with a simple simulation model that a few additional personal data attributes would be sufficient to uniquely most individuals. 40 years later, the problem that it is basically impossible to anonymise personal data by simply suppressing some attributes is meanwhile very well understand. For effectively protecting statistical data, privacy-enhancing technologies, including k-anonymity and differential privacy, have been developed. Differential privacy has been used recently by the US census and is also used by tech giants, such as Apple, Google or Uber, for enhancing privacy for their data analyses - however, differential privacy provides privacy functionalities that are hard to convey to lay users and decision makers. This talk provides an overview of how the understanding of privacy, anonymity and privacy enhancing technologies for census and data analytics has developed over the last 40 years and discusses remaining challenges.

My CI/CD pipeline contains all security tools available! Now what…?

Speaker: Jasmin Mair

Slides: PDF

In today’s fast-paced environment, teams are under constant pressure to deliver code, features, and applications at an unprecedented speed, thanks to the contributions of Agile and DevOps methodologies. While these approaches have significantly accelerated the time to market, the downside is that rapid development often comes at the cost of neglecting critical security considerations, potentially leaving systems vulnerable to cyber threats and compromises.

But does DevSecOps, the seemingly ideal bridge between agility and security, truly live up to its promise, or is it too good to be true? The reality often reveals a substantial gap between theory and practice.

This talk will not only delve into the principles and potential of DevSecOps but will also shed light on a commonly overlooked challenge: teams’ premature and excessive focus on acquiring security tools without executing proper implementation. By exploring real-world examples and best practices, this talk aims to provide practical insights into addressing these challenges and fostering a cultural shift that can lead to successful DevSecOps adoption. It’s not just about buying tools; it’s about implementing them thoughtfully and collaboratively to fortify your development process against security threats.

Secure Supply Chains, Secure Containers

Speaker: Lukas Mika

The invention of the container has created entirely new opportunities through the accompanying standardization - both in global trade and in software development. This has resulted in increasingly complex supply chains in logistics and software development, which need to be secured in both industries.

But how do companies address the associated risks and what lessons can we learn for our development processes? How can they ensure that they know, what they ship in their containers? How can security be embedded in their processes, without delaying their deliveries?

Using the Secure Software Development Lifecycle, this presentation will illustrate the strategic vision that the container shipping company Maersk uses to design its own software development process and to identify, mitigate and prevent security and operational risks along the software supply chain. It will take a closer look at the process, its objectives and the challenges it faces.

A beginner’s guide to SSO (mis)configuration

Speaker: Adina Bogert-O’Brien

Slides: PDF

SSO is sold as a way to

centralize managing your organization’s users,
make life easier for your colleagues, and
enforce consistent security standards.

But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door.

A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong.

To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right???

I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “wierd questions” before an adversary does.

You are (not) prepared - A ransomware story

Speaker: Christian Kollee

Slides: PDF

Ransomware attacks are an ever-present menace for companies of all sizes. But they are especially devastating for small and medium-sized businesses. However, ransomware attacks typically consistently proceed similarly. The techniques used differ depending on the grouping and the infrastructure attacked.

Looking at the Incident Response cycle, many companies omit the first phase at least partially: preparation. On the one hand, the preparation phase includes preventive measures, i.e., measures to reduce the likelihood of an incident. On the other hand, since preventive measures can fail, companies must also implement steps for when an incident does occur. Missing these preparations will lead to problems and delays during an incident.

While responding to an incident, handling two different work streams is necessary. The first stream is the recovery of the company network. In the best case, the company can manage this stream independently. The second workstream is the forensics analysis of the incident. Usually, small and medium-sized businesses lack the necessary knowledge and require a specialized service provider. This stream is essential to understand how the attackers entered the environment, how they moved around, and what backdoors they placed that they could use to return. Forensic analysis is also required to decide which systems the company needs to replace, which they need to clean up, and which they can continue to use. The less precise the forensic results, the more conservative the rebuild has to be.

You can do a lot before an actual incident; some to make it less likely to get hit and some to make it easier to recover. There are also some recommendations to ensure that you handle the incident response as well as possible. In this talk, I’ll

tell a story of an exemplary incident response based on what I saw during the last five years,
show general tips that reduce the likelihood of such an attack,
provide preparation steps to ease the response in case of an incident,
and give some hints on how to handle the response.

Reverse Engineering of Intel’s Branch Prediction

Speaker: Nick Mahling

Slides: PDF

Due to the rise of cloud computing, many applications share hardware resources with other applications in the cloud. While cloud computing offers numerous advantages, it has also introduced new security threats that need to be addressed. To reduce these risks, virtualization is used to isolate applications. A CPU involves a vast array of microarchitectural components dedicated to multiple tasks. If any of these underlying components possess a design flaw, it could potentially lead to security vulnerabilities, making the virtualization obsolete. One of these microarchitectural vulnerabilities is known as Spectre, which encompasses attacks capable of exploiting speculative execution to manipulate the control flow of an application. Speculative execution is a key feature in modern processors that leverages multiple microarchitectural elements to optimize runtime performance. This is achieved among other things by accurately predicting conditional branch outcomes. By analyzing the history of a branch, the processors can make guesses about the direction a program will take, enabling it to speculatively execute instructions ahead of time. Spectre variants targeting this mechanism have the ability to alter the program’s execution path, potentially allowing an attacker to leak sensitive information. Due to limited knowledge about branch prediction on modern processors, some of those Spectre variants presented by researchers are impractical e.g. because of very long shellcodes. Furthermore, a deeper understanding of branch prediction can unveil more efficient defense mechanisms.

Hence, this presentation which is based on my recent bachelor’s thesis will focus on reverse engineering the branch prediction on modern Intel CPUs. Through the design and implementation of experiments, we aim to gain deeper insights into branch predictors. Specifically, our objective is to find pairs of branches that can interfere with each other’s predictions. This acquired knowledge builds the foundation for developing a more reliable and efficient out-of-place Spectre attack. By employing the information from that research, we successfully construct an attack and demonstrate its practical implications. The findings underline the importance of understanding and mitigating vulnerabilities arising from branch prediction mechanisms in CPUs.

Broadcom router SDK vulnerabilities - the uncomfortable reality of the IoT Linux kernel space

Speaker: Attila Szasz

This research uncovers the CVE-2023-31070 vulnerability, a concerning issue within the IoT Linux kernel space, specifically affecting the Broadcom BCM47xx SDK. This vulnerability resides in the Efficient Multicast Forwarding (EMF) slab-out-of-bounds write, and it has significant implications for IoT device security. The Broadcom BCM47xx SDK serves as the reference implementation in numerous router models, making it a ubiquitous presence in the IoT landscape. In fact, the issue affects router devices from at least 14 manufacturers, and more than 50 popular models, therefore affecting a significant market share of small office home networking devices.

The EMF module, responsible for optimizing multicast traffic, is a crucial component, particularly in applications like IPTV.

Within this SDK, a critical flaw lurks in the EMF kernel driver, emf.ko, primarily used for IGMP snooping. Through careful analysis and reverse engineering, the vulnerable code within emf.ko is dissected, revealing how an attacker can manipulate kernel module data structures with specifically crafted data. The ultimate goal of this exploitation is to achieve kernel-mode code execution, posing a substantial security risk.

To illustrate the practical implications of CVE-2023-31070, a demonstration is provided, showcasing how an attacker can trigger an out-of-bounds access in the kernel space, eventually causing system crashes. This demonstration, conducted on an ASUS AC87U device, serves as a real-world example of the potential consequences of this vulnerability.

This research journey also sheds light on the complexity of addressing such vulnerabilities. Close collaboration with Broadcom was required to get a fix, however, they have no control over the security update process of their OEMs and customers. In many cases, the affected models are no longer supported, even though tens of thousands of samples are still operated on public networks. This case study underscores the need for effective coordination in addressing vulnerabilities within interconnected systems.

This presentation will provide an in-depth examination of CVE-2023-31070, offering valuable insights into the IoT security landscape and the imperative to secure our interconnected devices. The talk aims to foster a discussion within the security community and raise awareness of the challenges posed by vulnerabilities in IoT ecosystems.

Closing

Speaker: Florian Junge

Team

Morton

Morton is a researcher in the Forward-Looking Threat Research (FTR) team at Trend Micro, Inc. where he peers into the future of computers and society to identify the risks and vulnerabilities of the future. His past in computer security stretches back 30 years and he has been involved in most of the innovations in security, first at the University of Hamburg, Germany, then IBM Research and now Trend Micro. While originally active in malware analysis and computer forensics, recently his team has been focussing on massive threat data analysis for spotting new types of attacks quantitatively and also on modelling future threats to society that will accompany its inevitable march towards tighter integration in smart cities, intelligent transportation, supply chains and manufacturing. Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and resides in the Hamburg, Germany area.

Dagmar

Coming from a non-technical background, Dagmar brings her knowledge of event organization to Elbsides. Through previous experiences in professional stage management / production for theatre in the UK and US, as well as Sci-Fi conventions in Germany, she teamed up with her husband Morton to organize events for the computer security industry, BSides Munich being among them. Having lived and worked in a variety of countries, she enjoys traveling the globe and seeing theatre productions, especially in London.

Stefan

For all his professional business life (even years before that) Stefan has been involved in information security. In 1993 he was the first student to be hired by the freshly launched DFN-CERT Services GmbH, the first Computer Emergency Response Team in Germany and also one of the first within Europe. After having spent a number of years in the PKI universe he worked as an IT security consultant for the next 15 years before re-joining the awesome crew at DFN-CERT Services GmbH in 2016. He likes IT forensics, Cyber Threat Intelligence, and malware analysis and loves helping people.

Florian

A past interest in archaeology brought Florian to the field of security. To him, both share a similar approach: recognizing the ideas of the past via its artefacts and the application of these lessons to form a better future. As a security engineer he tries to adopt this philosophy to the various aspects of the field, may it be user awareness, OS and network security or how to cloud securely. He also enjoys hot food, fast bikes and open source.

Debbie

Debbie is also a non-techie, but works in IT security sales in 2019 - first for SCHUTZWERK and now for Turingpoint. Inspired by her environment, she started studying business informatics part-time in 2021 to gain a broader IT knowledge. In the meantime, it has become clear that she would like to specialize even more in cybersecurity. Debbie joined Elbsides because she wanted to dive deeper into the community.

Jonas

Jonas’ day job is in incident response and forensics at BlackBerry. During engagements he specializes in disk forensics and fast triage, relying heavily on automation to aid in fast recovery of customers affected by data breaches or malware incidents. In his spare screen time he engages in various open source efforts and likes researching new forensics related topics. Reverse engineering proprietary APIs, file formats and protocols is one of his main interests. In the great outdoors he enjoys geocaching and paddling. He also added aerial photography and semi-autonomous to fully manual flight with home-built UAVs and FPV drones to his outdoor activities.

David

David is an independent software developer, penetration tester and IT consultant. He likes to build software, analyze systems and troubleshoot weird computer problems. When not in front of a screen he enjoys a good physical challenge, doing various kinds of sports.

Fabian

Fabian currently works as an embedded software engineer for a small company in Northern Germany. He was working as a financial consultant when his fascination for technology led him back to school to study electrical engineering and digital systems. During his bachelors and master’s thesis he was able to get deep into the weeds of reverse engineering and secure code as part of the vulnerability analysis department at NXP. Whenever he isn’t sitting in front of a keyboard, he enjoys playing music and sports outdoors.

2023

General Information

Follow us

Sponsors

Program

Speakers

Prof. Dr. Simone Fischer-Hübner

Jasmin Mair

Lukas Mika

Christian Kollee

Nick Mahling

Attila Szasz

Adina Bogert-O’Brien

Talks

Opening

40 years Census Decision: The census and understanding privacy protection in the transition of time.

My CI/CD pipeline contains all security tools available! Now what…?

Secure Supply Chains, Secure Containers

A beginner’s guide to SSO (mis)configuration

You are (not) prepared - A ransomware story

Reverse Engineering of Intel’s Branch Prediction

Broadcom router SDK vulnerabilities - the uncomfortable reality of the IoT Linux kernel space

Closing

Team

Morton

Dagmar

Stefan

Florian

Debbie

Jonas

David

Fabian

Silver Sponsors

Community Sponsors