Jan 27, 2016

Trainer spotlight - Dawid Czagan/Hacking web applications

In a "guest post" Dawid Czagan explains a little more about what attendees can expect from his training...


My hands-on training Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more is unique, because it is based on real, award-winning bugs found in famous companies like Google, Yahoo, Mozilla, Twitter,... Students will learn how bug hunters think and how to hunt for security bugs effectively. To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and doing manual/semi-automated analysis, then this hands-on training is for you.

It will be the second edition of this training at BruCON. The first one (BruCON 2015) was sold out. 

After completing this training, students will have learned about:
  • tools/techniques for effective hacking of web applications
  • non-standard XSS, SQLi, CSRF
  • RCE via serialization/deserialization
  • bypassing password verification
  • remote cookie tampering
  • tricky user impersonation
  • serious information leaks
  • browser/environment dependent attacks
  • XXE attack
  • insecure cookie processing
  • session related vulnerabilities
  • mixed content vulnerability
  • SSL strip attack
  • path traversal
  • response splitting
  • bypassing authorization
  • file upload vulnerabilities
  • caching problems
  • clickjacking attacks
  • logical flaws
  • and more…

This hands-on training was attended by security specialists from big companies like Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received (recommendations here: https://silesiasecuritylab.com/services/training/#opinions ).

Students will be handed in a VMware image with a specially prepared testing environment to play with the bugs. What's more, this environment is self-contained and when the training is over, students can take it home (after signing a non-disclosure agreement) to hack again at their own pace.

Dec 10, 2015

BruCON 0x08 - Spring training - Open for registration

We are proud to present to you our program for the 2016 BruCON 0x08 Spring Training (20-22 April)

The line-up! : 

  • Corelan Bootcamp by Peter Van Eeckhoutte (3-day training) - Corelan is back at BruCON ! One of the best exploit development courses available, now in our spring training track. Prepare yourself for 3 long days (+10 hours/day) of intensive exploit development ! Lunch and dinner are included and, as always enough coffee to keep you going!
  • Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more by Dawid Czagan (2-day training) - Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique two-day hands-on training!
  • Analysing Malicious Documents by Didier Stevens (2-day training) - One of our resident trainers and fellow Belgian, Didier Stevens, will teach you how to analyse malicious PDF or MS Office documents using his own created Phyton tools in this 2-day course!
  • Offensive IoT Exploitation by Aditya Gupta and Aseem Jakhar (3-day training) - This unique course offers penetration testers the ability to assess the security of smart devices. The training will cover assessing IoT attack surfaces and finding security issues with hands-on exercises and is valuable for anybody interested to learn about IoT security.
  • PowerShell for Penetration Testers by Nikhil Mittal (3-day training) - In this course, you'll learn how to attack Windows network using PowerShell, based on real world penetration tests. It includes a mixture of lectures, demonstrations, exercises, hands-on and as well as a CTF which attendees could try during and after the course.
  • Mobile Application Exploitation (iOS and Android) by Prateek Gianchandani (3-day training) - A completely hands-on training on exploiting mobile applications for the iOS and Android platform. The training is based on exploiting Damn Vulnerable iOS app and other vulnerable apps which are written by the trainer in order to make you understand the different kinds of vulnerabilities in mobile applications. You can test your skills in the CTF at the end !

Early-bird registration till the end of the year! 
The training location will be Novotel Ghent Centrum.

All training details and registration links can be found on the BruCON training pages (link)

your BruCON team.

Nov 1, 2015

BruCON 0x08 - Spring training - Call for training

BruCON 0x07 is over and we had a great time hosting the trainings, workshops and conference ! As we want to be on time for the 0x08 Spring training edition (Wed 20 - Fri 22 April 2016), we would like invite you to submit your training. 

Please take into account the following guidelines : 
  • BruCON hosts predominantly offensive technical security training sessions. We don't have any specific focus areas for now, so please submit any training you deem interesting !
  • Training should be either 2 or 3 days with a preference for the latter.
  • You are allowed to submit multiple training suggestions, however please specify if they can be hosted simultaneously.
  • If you have additional hardware that need to be taken into account, please specify including the additional costs.
If you submit a training, please include, at minimum, the following information : 
  • Description
  • Course content
  • Target audience
  • Trainer biography
  • Hosted before ? If so, where and when
The deadline for you submissions is Friday 20 November COB (GMT+1). You can submit per mail to training@brucon.org. You will receive an acknowledgement that your submission has been well received. 

Please also use this address if you have any questions.

Kind regards

The BruCON Training crew

Sep 3, 2015

Logistics Update

Good evening Brucon Followers !

We just thought we'd drop a quick update on some of the happenings/logistics for Brucon this year.

Training Updates:
-----------------

* Colin Ames will replace Russ Gideon as the trainer for the Tactical Exploitation and Response training

* Justin Searle will be giving the ICS training instead of Don C. Weber

Hak4Kidz at Brucon !
--------------------

Hak4Kidz is an event by ethical hackers and Information Security professionals dedicated to bring the educational and communal benefits of whitehat hacking conferences to children and young adults. We plan to accomplish this mission by putting our collective expertise and passion on display for the attendees to interact with us at their will.

Full details in our prior update here: 

http://blog.brucon.org/2015/08/hak4kidz-at-brucon.html


General Updates:
----------------

There may still be a CTF happening this year. Apologies for the oscillation on this topic. It's been a little tougher to nail down the details for this edition. More news on this as soon as we have something news worthy.

Our volunteer system is almost ready for population. If you'd like to help out at Brucon this year and be part of the awesome crew that makes it happen every year hit up our volunteer page and mailing list:

http://2015.brucon.org/index.php/Volunteers

We will be streaming Brucon again this year. We've had feedback that this wasn't properly advertised last year so we will do our best to get the news out on this ahead of time.

Lastly check our the promo video from Brucon 2014 to get a taste of what's to come:

https://www.youtube.com/watch?v=ySmCRemtMc4

The Brucon Team looks forward to welcoming everyone in October.

Don't miss out.

Aug 19, 2015

Hak4Kidz at Brucon

Hak4Kidz is an event by ethical hackers and Information Security professionals dedicated to bring the educational and communal benefits of whitehat hacking conferences to children and young adults. We plan to accomplish this mission by putting our collective expertise and passion on display for the attendees to interact with us at their will. A combination of workshops complementing an open area of stations will enable the attendees to expand and enlighten their technical interests. For innovation to perpetuate, it’s imperative that today’s young users are exposed to the bigger picture of how we got here and to help realise their potential.


Some key Hak4kidz points:
- all day on Sun 4-Oct
- 25 EUR/kid, one adult gets in for free (name to be provided upfront)
- in Novotel Ghent
- from 7 to 17 yo
- activities & workshops like: hardware destruction, circuitry, crypto puzzles, programming, ...

For more information and registration, go to https://registration.brucon.org/hack4kidz-registration/

If there are any questions, please get in touch !!

See you Soon.


Jun 3, 2015

BruCON 0x07 Training track complete

We are proud to present to you our complete training track for this 0x07 edition of BruCON. 

The line-up! : 
  • Practical Malware Analysis: Rapid Introduction by  Andrew Honig (3 day training) : One of BruCONs most popular trainings is back. The co-author of the book will be hosting one of our most popular training tracks. Students also get a free copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. 
  • Tactical Exploitation and Response by Russ Gideon (3 day training) : Russ, being the Director of Training and Malware Research at Attack Research bring along a ton of experience and a well balanced program for tactical exploitation and response.
  • Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more by Dawid Czagan (2 day training) : Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this two-day hands-on training!
  • Wireshark WiFi and Lua-Packet Class by Didier Stevens (2 day training) : Wireshark is the number one network security tool according to SecTools.org top 125 Network Security Tools survey. But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive your complementary AirPcap adapter for Windows.
  • Cyber Breach Management by Chris Nutt (3 day training) : This course will teach students how to successfully manage the people, processes, and voluminous data required to successfully investigate and recover from a breach. All phases of the incident response process will be covered and hands-on exercises will provide tools for analyzing system artifacts as well as scrutinizing and communicating technical findings.
  • Offensive IoT Exploitation by Aditya Gupta and Aseem Jakhar (3 day training) : A brand new and unique course which offers penetration testers the ability to assess the security of  smart devices. The training will cover assessing IoT attack surfaces and finding security issues. 
  • Assessing and Exploiting Control Systems by Don C. Weber (3 day training) : This is not your traditional SCADA security course! How many courses send you home with your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, and master servers.
The training location will be Novotel Ghent Centrum.

All training details and registration links can be found on the BruCON training pages (link). Early Bird registration is possible until the 1st of August  and be found here

your BruCON team.

May 16, 2015

BruCON 0x07 Line-up and Early Bird Registrations

Hello there BruCONneers!

Over the past month we have been chewing over the CFP submissions. We received really great proposals and had to make some tough choices. And finally, white smoke!

We are thrilled to propose you the Line-Up for BruCON 0x07:

Keynotes
  • Dave Kennedy, Co-founder of TrustedSec and Binary Defense Systems. Co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery
  • Shyama Rose, Vice President of Information Security for Live Nation Entertainment

Talks
  • Willi Ballenthin and Jon Tomczak - Shims For The Win: Case study and investigative techniques for hijacked Application Compatibility Infrastructure
  • Alexandre Dulaunoy and Pieter-Jan Moreels - cve-search - A free software to collect, search and analyse common vulnerabilities and exposures in software
  • L. Grecs - Creating REAL Threat Intelligence ... with Evernote
  • Mark Hillick - Levelling Up Security @ Riot Games
  • Samuel Hunter and Adam Schoeman - Explosive Honey: Improving intelligence collected by Honeypots
  • Ryan Kazanciyan and Matt Hastings - Desired state: compromise
  • Dhia Mahjoub and Thomas Mathew - Unified DNS View to Track Threats
  • David Mortman - SSO: It's the SAML SAML Situation (With Apologies to Mötley Crüe)
  • Rushikesh Nandedkar and Amrita Iyer - The .11 Veil, Camouflage & Covert!!! /*Invisible Wifi, Revealed */
  • Chris Nickerson - Nightmares of a Pentester
  • Kuba Sendor and Ivan Leichtling - OSXCollector: Automated forensic evidence collection & analysis for OS X
  • Eric Smith - Advanced Red Teaming: All your badges are belong to us
  • Richard Thieme - Hacking as Practice for Transplanetary Life in the 21st Century: How Hackers Frame the Pictures in Which Others Live
  • Mathy Vanhoef - Advanced WiFi Attacks using Commodity Hardware

Workshops

  • Pieter Danhieux and Erik Van Buggenhout - Hands-on Incident Response Workshop
  • Sergei Frankoff and Sean Wilson - Crowdsourced Malware Triage Workshop - Making Sense of Malware with a Browser and a Notepad
  • Prateek Gianchandani - iOS application pentesting
  • Chris Lytle and Leigh Lytle - Hands-On Old School Cryptography
  • Chris Lytle and Matt Jakubowski - BrewCon
  • Vito Rallo - Kernel Tales
  • Vivek Ramachandran - Wi-Fi Network and Host based Intrusion Detection & Forensics for Pentesters
  • Arnaud Soullie - Pentesting ICS 101
  • Didier Stevens - A Hands On Introduction To Software Defined Radio
  • DJ Jackalope, Ocean Lam, Count Ninjula and Keith Myers - DJ workshop

Villages
  • ICS Village
  • Hak4kidz - Hacking conference for children (Sunday 4-Oct)

Sounds
  • Ocean Lam (Hong Kong)
  • DJ Jackalope (Las Vegas)
  • Count Ninjula (Los Angeles)
  • Keith Myers (Los Angeles)
  • keroSerene (Serene Han, pianist)

Training
  • Andrew Honig - Practical Malware Analysis: Rapid Introduction (3 day training)
  • Russ Gideon - Tactical Exploitation and Response (3 day training)
  • Dawid Czagan - Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more (2 day training)
  • Didier Stevens - Wireshark WiFi and Lua-Packet Class (2 day training)
  • Chris Nutt - Cyber Breach Management (3 day training)
Stay tuned for more training announcements!

You might want to come earlier, as we have some extra activities on Wednesday 7-Oct in the pipeline :-)

Early Bird registration is now open for the conference and the trainings!

Cheers,


the BruCON team