Long time since last post.

#RomHack2019 attendees

I was very busy organizing the second edition of RomHack, the free cyber security conference made with ❤ by Cyber Saiyan – the non-profit organization I founded 2 years ago – that took place in Rome past 28th of September.

We had an incredible lineup with italian and international speakers coming from around the world and 400 attendees. Not just the conference; at the end of the conf 16 team played the on site Capture The Flag.

RomHack 2019 started with Samit Anwer speaking of implementation pitfalls on OAuth 2.0 authorization framework. Samit showed common malpractices that “relying party” and “authorization service provider” developers perform when implementing OAuth/OpenID based solutions and showed us the attacks that can happen and the mitigations that can be applied. [Slides here]

Then Orange Tsai & Meh Chang took the stage to show how they found pre-auth RCEs on multiple leading SSL VPNs used by nearly half of the Fortune 500 companies and many government organizations; then they elaborate on post exploitation and how they successfull hack into Twitter VPN, potentially hacking all the clients. Not bad 🙂 [Slides here]

Before the lunch Valerio Di Giampietro – talk in Italian – introduced us into IoT devices reverse engineering world. From hardware information gathering, through building an emulation environment and finally reversing and modify the firmware, Valerio showed a clear and detailed metodology to hack IoT devices. [Slides here]

Back from the lunch Francesco Perna & Lorenzo Nicolodi – talk in Italian – spoke about their personal experience during a Red Teaming activity. Their talk starts covering the legal part – often underestimated – and of course the technical side of the activity (hardware and software tools, exfiltration infrastructure etc). [Slides here]

On the defense side Vincent Le Toux – a core contributor to mimikatz – presented Ping Castle, a tool he developed to collect information from complex Active Directory domains without involving the admins. The talk focus is on the experience Vincent gathered on the field to protect a very complex & multi domain environment. [Slides here]

Last talk was from Luca Massarelli, a PhD student at Sapienza University in Rome. Luca presented SAFE, an open source tool he developed from its own university reasearch. Using a neural network to create similarity, SAFE can help during reverse engineering, vulnerability discovery and malware hunting. [Slides here]

After the conference, in the university cloister, we started the CTF, supported by Hack The Box staff: 5 hours, 16 teams, 80 people, 15 challenges (7 Fullpwn, 2 Web, 2 Pwn, 1 Reversing, 2 Crypto, 1 Forensic), prizes for the first 3 teams, lot of fun 😀

We had great times – all conf pictures here – and we are already working to bring you a wonderful #RomHack2020 next year.

Save the date! See you in Rome on saturday 26th of September 2020

PS: follow Cyber Saiyan to stay updated

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.