2024
| Program | Speakers | Sponsors | Registration | Team |
General Information
The Elbsides 2024 computer security community conference will be held in Hamburg, Germany on Friday, the 13th of September. Meanwhile, we need sponsors to make this event possible and keep the costs for the participants low. If you are interested in sponsoring, please contact us at elbsides -at- gmail.com.
The Call for Papers is now open, and we welcome your presentation submission until the end of July 7th. is now closed. Thank you for all your proposals, and we hope to see you in Hamburg!
Location
This year Elbsides will be at the river Elbe: at the Empire Riverside Hotel, a 4-star hotel in the heart of Hamburg. The hotel is located in the St. Pauli district, near the Reeperbahn and overlooking the port of Hamburg. The conference will be held in the hotel’s conference center.
Pictures © Empire Riverside Hotel, Stefan Karstens and Andrea Flak
Follow us
- X: @elbsides
- Mastodon: @elbsides@infosec.exchange
- Bluesky: @elbsides.bsky.social
- LinkedIn: linkedin.com/company/elbsides
If you haven’t been to Elbsides 2023 - see what you missed and watch the talks on our 2023 Youtube channel
Sponsors
We hope to welcome many old and new sponsors to make this event possible with minimal costs for attendees and to keep this event as inclusive as possible. If you are interested in sponsoring, please contact us at elbsides -at- gmail.com.
 |
 |
 |
 |
 |
|
 |
 |
 |
 |
 |
 |
 |
|
Program
| Time | Speaker | Title |
|---|---|---|
| 8:00 | Registration | |
| 9:00 | Opening | |
| 9:15 | Katharine Jarmul | Opening keynote: AI (In)security: How to (Still) Successfully Attack an AI System |
| 9:45 | Candid Wüest | Unveiling the Reality: The True Impact of GenAI on Cybercrime |
| 10:30 | Break | |
| 11:00 | Stefan Hager | Far beyond the perimeter - exploring external attack surfaces |
| 11:30 | Timo Pagel | Key Steps to Achieving an Application Security Program |
| 12:00 | TBA | TBA |
| 12:30 | Sam Macdonald | Dealing With Imposter Syndrome |
| 13:00 | Lunch | |
| 14:00 | Christian Kollee | Ready to Respond - Plan, Prepare, Try & Train |
| 14:30 | Marc Ratfeld | Protecting the energy transition |
| 15:00 | Michael Helwig, Álvaro Martínez | Help, my application is vulnerable, but how bad is it? |
| 15:40 | Break | |
| 16:10 | Hilko Bengen | Detection And Response for Linux without EDR |
| 16:40 | Max Maaß, Tim Walter | Protectors of the Realm: Breaking and Fixing Keycloak Configurations |
| 17:10 | Marit Hansen | Closing keynote: TBA |
| 17:40 | Closing | |
| 18:00 | Networking hour begins |
Backup talks:
- Santi Abastante: Dredge: A Open Source Framework for Cloud Incident Response
- Thore Tiemann: “Act natural!”: Exchanging Private Messages on Public Blockchains
Speakers
Álvaro Martínez, Candid Wüest, Christian Kollee, Hilko Bengen, Katharine Jarmul, Marc Ratfeld, Marit Hansen, Max Maaß, Michael Helwig, Sam Macdonald, Santi Abastante, Stefan Hager, Thore Tiemann, Tim Walter, Timo Pagel
Álvaro Martínez
Talk: Help, my application is vulnerable, but how bad is it?
Álvaro Martínez holds a Bachelor of Engineering in Telecommunications and a Master’s degree in Information Security, graduated in 2018. After several years working as web developer, he decided to switch to his preferred area, cybersecurity, where he currently works at conducting vulnerability assessments and web penetration tests, integrating security tools into corporate environments and helping development teams to better understand and mitigate vulnerabilities in their applications.
Candid Wüest
Talk: Unveiling the Reality: The True Impact of GenAI on Cybercrime
Candid Wüest is a seasoned cybersecurity expert with a strong blend of technical skills, leadership, and over 25 years of passion in the field of security. He currently serves as an independent security advisor for various companies and the Swiss government. Previously, he was the VP of Cyber Protection Research at Acronis, where he led the creation of the security department and the EDR product. Prior to that, he spent over sixteen years at Symantec, where he played a key role in building their global security response team as the technical lead, focusing on malware and threat analysis. Wüest has authored a book and several white papers and has been recognized as a security expert in top-tier media outlets. He frequently speaks at major security conferences, including RSAC and BlackHat and is an organizer of AREA41 & BSides Zurich. He began learning coding and English on a Commodore 64. He holds a Master’s degree in Computer Science from ETH Zurich and possesses various certifications and patents.
Christian Kollee
Talk: Ready to Respond - Plan, Prepare, Try & Train
Christian currently works as a Network Detection Engineer in the German finance sector. Previously, he worked as a forensic analyst and incident handler in international organizations and medium-sized German businesses. With more than ten years of experience in IT security, Christian knows the problems of all IT security types, from medium-sized companies to DAX30 corporations. Shortly, he will join a company doing Incident Response and Managed Detection & Response. Besides learning about new attacker tools and techniques, he tries desperately to reduce his ever-growing stack of articles and books in his spare time.
Hilko Bengen
Talk: Detection And Response for Linux without EDR
Hilko works in the CSIRT for a transportation and logistics company. He feels most comfortable when thinking about problems that touch systems programming, operations and IT security. For more than 25 years, he has learned to take free and open source software for granted, and he is still amazed when he hears how others have found his contributions useful.
Katharine Jarmul
Keynote: AI (In)security: How to (Still) Successfully Attack an AI System
Katharine Jarmul is a privacy activist and an internationally recognized data scientist and lecturer who focuses her work and research on privacy and security in data science and machine learning. You can follow her work via her newsletter, Probably Private or in her recently published book, “Practical Data Privacy” (O’Reilly 2023) now also available in German as “Data Privacy in der Praxis.”
Marc Ratfeld
Talk: Protecting the energy transition
Marc Ratfeld is a computer scientist, CISSP, GIAC and ISMS Senior Consultant. With over 25 years of experience in the field of information security, Mr. Ratfeld has worked in various industries as an information security officer and helps companies to implement and continuously develop information management systems. In doing so, he pays particular attention to the practicability of implementation and has successfully brought ISMS implementation projects to the level of certification. Since 2023, he has also been an executive manager of pure ISM GmbH.
Marit Hansen
TBA
Max Maaß
Talk: Protectors of the Realm: Breaking and Fixing Keycloak Configurations
Max Maaß works at the security team at iteratec. He spends his time with architecture reviews, threat modeling and pentesting for software development projects, and has contributed to the OWASP secureCodeBox. Previously, he conducted research into security and privacy issues at the Secure Mobile Networking Lab at TU Darmstadt.
Michael Helwig
Talk: Help, my application is vulnerable, but how bad is it?
Sam Macdonald
Talk: Dealing With Imposter Syndrome
A cybersecurity professional from the UK whereby imposter syndrome is a weekly bi-product of having changed careers midlife. Every day is a school day, now looking to tackle the inner fraud that takes so many in the community and share what I have learnt.
Santi Abastante
Talk: Dredge: A Open Source Framework for Cloud Incident Response
Ex-Police Officer from Argentina, Cloud Incident Responder and Security Engineer with 10+ years of IT experience.
Stefan Hager
Talk: Far beyond the perimeter - exploring external attack surfaces
Stefan works for the Internet Security Team at German company DATEV eG. He started messing with computers in the 80s and turned it into a job as a programmer in the early 90s. Since 2000 he has been securing networks and computers for various enterprises in Germany and Scotland. His main focus nowadays is security research, raising security awareness, coming up with creative solutions to security problems and discussing new ideas concerning threat mitigation. When not trying to do any of the stuff mentioned above, he is either travelling, producing hacker music and other electronic beats or gardening.
Thore Tiemann
Thore Tiemann is a research assistant and PhD student at the Institute for IT Security at the Universität zu Lübeck. His research interests are in the area of computer and systems security with a focus on microarchitectural side-channel attacks and defenses in heterogeneous cloud computing.
Tim Walter
Talk: Protectors of the Realm: Breaking and Fixing Keycloak Configurations
After working as a full-stack developer and software architect, Tim Walter now works as a security architect for iteratec. His primary task is to support teams in the development of secure software through threat modeling, security reviews of architecture concepts, vulnerability analyses and the integration and automation of security scans.
Timo Pagel
Talk: Key Steps to Achieving an Application Security Program
Timo Pagel has been in the IT industry for over twenty five years. After a career as a system administrator and web developer, he advises customers as a DevSecOps consultant and trainer. His focus is on integrating security into the development lifecycle. For example with security test automation for software and infrastructure and assessment of complex applications in the cloud. In his spare time, he teaches “Web and Application Security” at various universities of applied sciences.
Talks
AI (In)security: How to (Still) Successfully Attack an AI System
Opening Keynote
Speaker: Katharine Jarmul
In this talk, we’ll review attacks on today’s “AI” systems, and how fundamental aspects of adversarial examples are still relevant today. We’ll explore how purple-teaming AI systems could work, and the latest research on potential preventative measures and a few common-sense tips, if your CEO tells you, you have to deploy an AI-based application.
Unveiling the Reality: The True Impact of GenAI on Cybercrime
Speaker: Candid Wüest
Are we on the brink of a GenAI-powered cybercrime apocalypse? Sensational headlines may stoke fear, but the reality is more nuanced. Join us to explore the true impact of GenAI on cybercrime, debunk myths, and reveal insights from the frontlines. We’ll start with the infamous $25 million BEC deepfake video conference scam, illustrating how deep fakes are weaponized. From son-in-trouble scams to 2-for-1 bitcoin videos, we’ll uncover the various deepfake threat landscape. Next, discover how GenAI transforms phishing attacks, personalizing messages and orchestrating interactive schemes like romance scams. See how cybercriminals leverage GenAI for automation and efficiency, ramping up malicious operations. We’ll demystify AI-generated, AI-supported, and AI-powered threats, showing how AI accelerates threat distribution through script creation and scaling. Real-world examples of GenAI-generated malware will be discussed. Like for example the polymorphic or rather metamorphic PoC malware Black Mamba, that dynamically adapts using LLMs. Even nation state APTs have played with it. We’ll explain why these threats remain detectable with current methods and why the feared Terminator ransomware isn’t on the horizon for this year. Discover the strategic shift from creating unfiltered LLMs, like FraudGPT, to offering proxied prompt injection into existing models, like LoopGPT. See how tools like FuzzAI help with new prompt injections. Finally, we’ll touch on the MITRE ATLAS framework and discuss related techniques, e.g. adversarial AI attacks, setting the stage for future discussions. This talk separates hype from reality, providing a clear perspective on the evolving cyber threat landscape driven by GenAI.
Far beyond the perimeter - exploring external attack surfaces
Speaker: Stefan Hager
Looking for intel in all the right places is an art that adversaries seem to have mastered; but when it comes to their own data, many companies seem to lose interest in examining anything that’s outside the “perimeter” - whatever that is supposed to be nowadays. Credential leaks, shadow IT, unofficial websites with official info - the list of assets far outside the data centers of companies is long, and those assets nevertheless pose risks. Instead of turning a blind eye, it’s important (and necessary) to get an understanding of what kind of information is out there, ready to be used or abused and protect accordingly. What risks are “out there” and what is meant by “out there”? How can those risks be addressed? What tools are easily available?
Key Steps to Achieving an Application Security Program
Speaker: Timo Pagel
This talk outlines a practical approach to building and optimizing application security (AppSec) programs for organizations of all sizes. While briefly touching on foundational elements, the presentation focuses on developing and implementing a custom organizational maturity model that resonates with development and operations teams. Moving beyond traditional frameworks, attendees will learn to design tailored models that account for diverse operating environments. The talk provides strategies for avoiding common pitfalls, implementing effective metrics, and creating a scalable AppSec approach adaptable to an organization’s evolving needs. Through actionable advice and real-world examples, participants will gain insights applicable to both new and existing AppSec programs.
Dealing With Imposter Syndrome
Speaker: Sam Macdonald
Imposter syndrome is a psychological phenomenon where individuals doubt their accomplishments and fear being exposed as a “fraud,” despite evidence of their competence and success. It can affect anyone, regardless of their career stage, background, or achievements.
Ready to Respond - Plan, Prepare, Try & Train
Speaker: Christian Kollee
"”Prevention eventually fails.” and “Assume breach.” are two statements the IT security community agreed on long ago. These statements are still valid, especially with the recent vulnerabilities in security devices from different vendors. According to Mandiant M-Trends 2024 Special Report, exploiting vulnerabilities is globally the initial access vector in 38% of all intrusions, followed by Phishing (17%) and access provided by a prior compromise (15%). Over the last two to three years, many of these vulnerabilities have also concerned security devices like firewalls, VPN gateways, and other Internet-connected devices.
Therefore, being ready to respond to a cyberattack must be a priority for enterprises of every size. But what does “being ready” really mean? There are three distinct phases an enterprise needs to go through to be ready. The first phase is the usual You need a plan, which usually means creating documents that describe how to conduct an incident response, who is responsible, and who needs to be informed. However, more than just having a plan is required. Preparing your people, processes, and environment is the second step for a successful incident response. Do your people have the required skills? Are your processes aligned with suppliers and service providers? Do you have the tools in place to perform the incident response? Finally, you need to practice and train every emergency. There are different possibilities for conducting incident response engagements, from simple tabletop exercises to full-blown emergency exercises. Each of them has its advantages and drawbacks.
In this talk, I’ll review these three phases and present the essential points based on my experiences. From creating a plan to the preparation phase to implementation and training, we will look at the crucial steps in a brief overview.
Protecting the energy transition
Speaker: Marc Ratfeld
The renewable energy sector is one key factor within critical infrastructure of Europe and Germany. Protecting this industry against cyberattacks is a constant challenge. The rapid growth and increased security requirements are putting the industry under constant pressure to adapt. This talk will give you an insight view of actual attempts to protect IT and OT environments off- and onshore.
Help, my application is vulnerable, but how bad is it?
Speakers: Michael Helwig, Álvaro Martínez
With an increasing number of high and critical security vulnerabilities being disclosed each year, it is a constant challenge for developers and project teams to respond quickly to serious vulnerabilities in their code base and projects. Often there is no structured process in place to deal with the issues and a decision needs to be made quickly. What can you do?
In this presentation we will explore different approaches to quickly analyze vulnerabilities and estimate the potential impact in your specific context. CVSS scoring is often used as a first step in prioritization, but what is CVSS? Thanks to artificial intelligence, we now have EPSS scoring to help us prioritize, but does it really improve our situation? Ultimately, you have to take your architecture and technical context into account to come to the right conclusion? For this we will take a look at Cyber Kill Chains and how they can be used for this purpose.
The goal of this presentation is to give developers practical insight into the vulnerability analysis process and to provide them with ideas and tools they can use when the next vulnerability appears.
Detection And Response for Linux without EDR
Speaker: Hilko Bengen
In modern, networked, enterprise IT environments, the focus of defense teams has shifted from monitoring network infrastructure towards endpoints. Installing endpoint detection and response (EDR) software on user workstations and servers – and actually monitoring their activities and findings – has become an easy default choice.
However, it appears that in development of most EDR products, with their heritage in antivirus software, a very Windows-centric worldview is retained. Support for other operating systems, especially Linux, seems to come as an afterthought, leaving visibility gaps that may be easily exploited by skilled attackers.
After evaluating several EDR vendors’ products specifically for use in a large, heterogeneous Linux server landscape, we found that the capabilities were no match to our existing near-real-time detection mechanisms. We couldn’t even replicate our previous work using the products. Deciding against any EDR product meant that we need to find an alternative approach to building out response capabilities.
This talk illustrates mostly home-grown approaches to detection and response engineering that provide analysts with tools for generating context and for large-scale threat hunting while making it as pleasant as possible for operations teams to integrate the required components into their systems.
Protectors of the Realm: Breaking and Fixing Keycloak Configurations
Speakers: Max Maaß, Tim Walter
Keycloak is a widely used tool for authentication and user management in many projects and is therefore often encountered in security audits. However, analyzing the security of an existing Keycloak instance is often a challenge due to the complexity of the software and its configuration options.
Having been responsible for the security of a Keycloak instance in a large software project for almost two years, we share our insights on what to look for. We also present our open source Keycloak configuration auditor kcwarden, which we developed to facilitate our work. The tool can detect common security issues and can be easily customized to detect project-specific issues, such as dangerous role assignments or policy violations. This allows us to continuously monitor the configuration for dangerous changes that might otherwise go unnoticed.
After attending this talk, you should have an overview of common Keycloak misconfigurations and how you can use kcwarden to support your work.
Dredge: A Open Source Framework for Cloud Incident Response
Speaker: Santi Abastante
BACKUP TALK
Cloud incident response can be daunting, requiring a plethora of tools and skills, while most Cloud Based Startups can’t allocate budget for preventive controls, there is less space for them to understand what to do if they are hacked.
That’s why I created Dredge, an Open Source framework designed to streamline cloud incident investigations, by allowing Cloud Engineers and Incident Responders to execute non-trivial response tasks effortlessly, irrespective of your familiarity with specific cloud platforms nor incident response tactics.
The main idea is to empower engineers to respond to attacks no matter what preparation they had before, taking advantage of most of the out-of-the box security features cloud providers offer but not everybody is aware, like being able to retrieve a forensic image from a running server or getting logs that they didn’t know they had.
Some Key Features that differentiate Dredge from existing tooling:
- Python-based CLI
- Retrieve logs seamlessly from Github, Kubernetes, AWS, GCP or Azure.
- Take action: whether it’s blocking an IP in an AWS tenant, disabling an AccessKey, isolating an EC2 instance, or strategically extracting crucial post-compromise user data.
- Identify tactical misconfigurations that can be exploited by an attacker.
- Create an attack timeline based on IOCs.
- Analyze retrieved data effortlessly within your terminal, utilizing built-in capabilities from VirusTotal and Shodan.
- Cloud Incident Response Guidelines for companies to embrace and build their playbooks.
“Act natural!”: Exchanging Private Messages on Public Blockchains
Speaker: Thore Tiemann
BACKUP TALK
Messengers have become an essential means of interpersonal interaction. Yet untraceable private communication remains an elusive goal, as most messengers hide content, but not communication patterns. The knowledge of communication patterns can by itself reveal too much, as happened, e.g., in the context of the Arab Spring. Subliminal channels in cryptographic systems enable untraceable private communication in plain sight. In this context, bulletin boards in the form of blockchains are a natural object for subliminal communication: accessing them is innocuous, as they rely on distributed access for verification and extension. At the same time, blockchain users generate hundreds of thousands of transactions per day that are individually signed and placed on the blockchain. Thus, blockchains may serve as innocuous repository for publicly accessible cryptographic transactions where subliminal channels can be placed. This significantly increases the availability of publicly accessible cryptographic transactions where subliminal channels can be placed.
In this paper, we propose a public-key subliminal channel using secret-recoverable splittable signature schemes on blockchains and prove that our construction is undetectable in the random oracle model under common cryptographic assumptions. Our approach is applicable to any secret-recoverable splittable signature scheme and introduces a constant overhead of a single signature per message. Such schemes are used by 98 of the top 100 cryptocurrencies. We also analyze the applicability of our approach to the Bitcoin, Monero, and RippleNet networks and present proof of concept implementations for Bitcoin and RippleNet.
Team
Morton
Morton is a researcher in the Forward-Looking Threat Research (FTR) team at Trend Micro, Inc. where he peers into the future of computers and society to identify the risks and vulnerabilities of the future. His past in computer security stretches back 30 years and he has been involved in most of the innovations in security, first at the University of Hamburg, Germany, then IBM Research and now Trend Micro. While originally active in malware analysis and computer forensics, recently his team has been focussing on massive threat data analysis for spotting new types of attacks quantitatively and also on modelling future threats to society that will accompany its inevitable march towards tighter integration in smart cities, intelligent transportation, supply chains and manufacturing. Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and resides in the Hamburg, Germany area.
Dagmar
Coming from a non-technical background, Dagmar brings her knowledge of event organization to Elbsides. Through previous experiences in professional stage management / production for theatre in the UK and US, as well as Sci-Fi conventions in Germany, she teamed up with her husband Morton to organize events for the computer security industry, BSides Munich being among them. Having lived and worked in a variety of countries, she enjoys traveling the globe and seeing theatre productions, especially in London.
Stefan
For all his professional business life (even years before that) Stefan has been involved in information security. In 1993 he was the first student to be hired by the freshly launched DFN-CERT Services GmbH, the first Computer Emergency Response Team in Germany and also one of the first within Europe. After having spent a number of years in the PKI universe he worked as an IT security consultant for the next 15 years before re-joining the awesome crew at DFN-CERT Services GmbH in 2016. He likes IT forensics, Cyber Threat Intelligence, and malware analysis and loves helping people.
Florian
A past interest in archaeology brought Florian to the field of security. To him, both share a similar approach: recognizing the ideas of the past via its artefacts and the application of these lessons to form a better future. As a security engineer he tries to adopt this philosophy to the various aspects of the field, may it be user awareness, OS and network security or how to cloud securely. He also enjoys hot food, fast bikes and open source.
Debbie
Debbie is also a non-techie. Her passion for working in IT security started in 2019 with SCHUTZWERK, where she came into contact with Elbsides. She has been involved in the community ever since. Inspired by her former colleagues at SCHUTZWERK, she also started studying business informatics part-time in March 2021 to gain more IT knowledge. During her studies, which will end in fall 2024, she has left no opportunity to combine all topics with IT security. From June 2024, Debbie will be working as an Account Manager at AirITSystems. Her colleagues and her ensure that companies’ business-critical IT functions securely and smoothly. She is very much looking forward to this as she will be delving even deeper into the IT world.
Jonas
Jonas’ day job is in incident response and forensics at BlackBerry. During engagements he specializes in disk forensics and fast triage, relying heavily on automation to aid in fast recovery of customers affected by data breaches or malware incidents. In his spare screen time he engages in various open source efforts and likes researching new forensics related topics. Reverse engineering proprietary APIs, file formats and protocols is one of his main interests. In the great outdoors he enjoys geocaching and paddling. He also added aerial photography and semi-autonomous to fully manual flight with home-built UAVs and FPV drones to his outdoor activities.
David
David is an independent software developer, penetration tester and IT consultant. He likes to build software, analyze systems and troubleshoot weird computer problems. When not in front of a screen he enjoys a good physical challenge, doing various kinds of sports.
Fabian
Fabian currently works as an embedded software engineer for a small company in Northern Germany. He was working as a financial consultant when his fascination for technology led him back to school to study electrical engineering and digital systems. During his bachelors and master’s thesis he was able to get deep into the weeds of reverse engineering and secure code as part of the vulnerability analysis department at NXP. Whenever he isn’t sitting in front of a keyboard, he enjoys playing music and sports outdoors.
Matthias
Matthias has more than 25 years of experience in various industries, disciplines and roles in the world of IT. He now uses this experience as a freelance cybersecurity culture evangelist to support organisations on their way to becoming secure and resilient organisms. This has a lot to do with the agile mindset, where people take centre stage - processes ensure smooth interaction and technology is seen as a tool, not an end in itself! Apart from that, he likes to spend his time outdoors, preferably exploring new holiday destinations or cycling in the surrounding area.