Long time since last post.
I was very busy organizing the second edition of RomHack, the free cyber security conference made with ❤ by Cyber Saiyan – the non-profit organization I founded 2 years ago – that took place in Rome past 28th of September.
We had an incredible lineup with italian and international speakers coming from around the world and 400 attendees. Not just the conference; at the end of the conf 16 team played the on site Capture The Flag.
RomHack 2019 started with Samit Anwer speaking of implementation pitfalls on OAuth 2.0 authorization framework. Samit showed common malpractices that “relying party” and “authorization service provider” developers perform when implementing OAuth/OpenID based solutions and showed us the attacks that can happen and the mitigations that can be applied. [Slides here]
Then Orange Tsai & Meh Chang took the stage to show how they found pre-auth RCEs on multiple leading SSL VPNs used by nearly half of the Fortune 500 companies and many government organizations; then they elaborate on post exploitation and how they successfull hack into Twitter VPN, potentially hacking all the clients. Not bad 🙂 [Slides here]
Before the lunch Valerio Di Giampietro – talk in Italian – introduced us into IoT devices reverse engineering world. From hardware information gathering, through building an emulation environment and finally reversing and modify the firmware, Valerio showed a clear and detailed metodology to hack IoT devices. [Slides here]
Back from the lunch Francesco Perna & Lorenzo Nicolodi – talk in Italian – spoke about their personal experience during a Red Teaming activity. Their talk starts covering the legal part – often underestimated – and of course the technical side of the activity (hardware and software tools, exfiltration infrastructure etc). [Slides here]
On the defense side Vincent Le Toux – a core contributor to mimikatz – presented Ping Castle, a tool he developed to collect information from complex Active Directory domains without involving the admins. The talk focus is on the experience Vincent gathered on the field to protect a very complex & multi domain environment. [Slides here]
Last talk was from Luca Massarelli, a PhD student at Sapienza University in Rome. Luca presented SAFE, an open source tool he developed from its own university reasearch. Using a neural network to create similarity, SAFE can help during reverse engineering, vulnerability discovery and malware hunting. [Slides here]
After the conference, in the university cloister, we started the CTF, supported by Hack The Box staff: 5 hours, 16 teams, 80 people, 15 challenges (7 Fullpwn, 2 Web, 2 Pwn, 1 Reversing, 2 Crypto, 1 Forensic), prizes for the first 3 teams, lot of fun 😀
Save the date! See you in Rome on saturday 26th of September 2020
PS: follow Cyber Saiyan to stay updated