Challenges Building the Largest
Global Data Breach Database

Nelson Novaes Neto & Anchises Moraes

This research helps to understand the challenges of proper visibility of security incidents on a global scale. The results of this research can help government entities, regulatory bodies, security and data quality researchers, companies, and managers to improve the data quality of data breaches.

Primary Learning Objective
1. This research helps to understand the challenges of proper visibility of data breach incidents on a global scale and to show how even the best industry reports may fail to provide proper estimate on cybersecurity incidents.
2. The results of this research can help government entities, regulatory bodies, security and data quality researchers, companies, and managers to improve the data quality of data breach reporting.
3. This research will improve the visibility of the data breach landscape around the world in the future.

Toda atitude conta: quando hábitos seguros geram recompensas

Letícia Freitas

Gamificação é usar o que os jogos têm de melhor em situações reais não tão divertidas. Afinal, nem todo mundo acorda querendo aprender sobre segurança, mas praticá-la não precisa ser uó.

Nesta vibe surgiu o "Toda atitude conta", o programa de recompensas da segurança da informação da Globo. Com ele, atitudes como reportar incidentes e ameaças à propriedade intelectual; identificar falhas em sistemas; participar de workshops, games ou quizzes; responder pesquisas; e seguir as boas práticas geram "milhas". O saldo pode ser trocado por experiências, cupons, descontos e produtos.

Assim, todo mundo ganha: os times de SI, que passam a contar com o comportamento cooperativo dos usuários, não só de ferramentas tecnológicas e processos. E as pessoas, que são reconhecidas e resgatam prêmios cada vez mais interessantes à medida que se engajam nas iniciativas.

Back to the Future: 10 years later,
what has changed?

Cris Thomas (Space Rogue)

Space Rogue returns to YSTS Con after a ten year hiatus. In 2012 Space Rogue spoke to the YSTS Con crowd on the state of the Information Security Industry and has now returned to examine if things are better or worse. Are the attackers getting the upper hand or are defenders winning the fight? Has technology made our lives easier or made things unnecessarily complicated? And what about the next ten years? How will security and the industry change between now and 2032?

Speeding Up AWS IAM Least Privileges with Cloudsplaining, Elastic Stack &
AWS Access Analyzer

Rodrigo Montoro

There are two main problems at Cloud Security World: IAM Permissions & Control Plane Misconfigurations.

In the current Cloud Security World, access keys are the new perimeter, and permissions associated with those keys are the limits for this perimeter. So most of the time, initial vectors to get into some company cloud environments are leaked keys. There are a couple of ways to have access to a key as:

1. Portal / API (creation time)

2. Application

3. Metadata (http://169.254.169.254)

4. Code Leak

5. Endpoint (.aws/credentials , history, hardcoded)

6. Third-Party (Cross Account)

7. Tools configuration (scans, CI/CD)

8. Social Engineering

So based on the fact that an access key is a new perimeter, IAM with Least Privilege becomes a mandatory part of security posture in an AWS account. It will mitigate problems when an access key is leaked, stolen, or accessed for some reason from an unauthorized one. To help in this process of least privilege, the SalesForce Cloud Team developed a tool to identify those violations called Cloudsplaining.

Using Cloudsplaining makes our daily permissions monitoring considerably easier. But when having multiple accounts, it wasn't an easy task to set a good prioritization. So we decided to add another step into the process, ingesting all results into Elastic Stack. To make things a little bit easier to be addressed, we inserted a new step to help prioritize fixes of misconfiguration. This process will identify problems around hundreds of policies that could be analyzed from different accounts and prioritize to score policy risks based on Cloudsplaining output.

In this presentation, we will explain the pipeline we created. From extracting and analyzing permissions with Cloudsplaining, ingesting and enriching with elastic stack, and finally using Access Analyzer Policy Suggestion, generate a better policy to mitigate over permissive policy problems.

Quem habilitou as macros? Cenário de ataques via arquivos Microsoft Office.

Gustavo Palazolo

Documentos do Office são comumente usados por invasores para infectar dispositivos com diferentes tipos de malware, como ransomware, trojan de acesso remoto e backdoor. Devido ao crescente uso desse tipo de ataque, a Microsoft anunciou duas medidas para proteger os usuários de documentos maliciosos no início de 2022. A primeira foi restringir as macros do Excel 4.0 como medida para bloquear malware baseado em macros XLM 4.0. A segunda foi ainda mais agressiva, ao bloquear macros VBA por padrão em arquivos baixados da internet. Apesar dessas proteções, ainda podemos observar ataques bem-sucedidos usando arquivos maliciosos. Nesta palestra, vamos entender mais sobre os diferentes cenários de ameaças via documentos Office, mostrando algumas técnicas utilizadas para evitar a detecção. Também falaremos sobre como os invasores estão integrando serviços de cloud no fluxo de ataque para serem mais resilientes. Além disso, mostraremos o que os invasores estão fazendo para se adaptar a essas recentes proteções lançadas pela Microsoft.

Enumerating attacks & breach feasibility using a threat simulation approach

Daniel Gomes

With the constant evolution of the threat landscape involving not only malware but also increasingly advanced attacks carried out by threat actors whose resources seem limitless, it is necessary to think of a strategy to evaluate security controls and the path of possible exploitation. Meaning that it is also essential to assess the people and processes of an organization to verify where they could be compromised. In this talk, we will discuss how attack simulation tools can be paramount and help in the mission of continually validating, optimizing, and ensuring an adequate security posture.

Fireside chat with The Dark Tangent

Jeff Moss

Em uma oportunidade única, participantes do YSTS 14 poderão interagir em um Q&A ao vivo (e remotamente) com o Jeff Moss (aka: Dark Tangent), em um bate papo informal.

Jeff é criador e fundador das conferências Def Con e Blackhat, membro do CISA Cyber Security Advisory Council e tem uma ampla visão e interessantes perspectivas do mercado de segurança.

How fraud groups work on
Telegram and WhatsApp

Thiago Bordini

The study presents a strategic analysis on the main illicit actions mapped, payment methods used, among other issues, from the technical PoV will be presented the counterintelligence adopted, the effectiveness of each of them, as well as technical indicators such as VPN, PROXY, among other aspects.

Many investigative agents talk about cybercrime on Deep and Darkweb, but in LATAM the reality is a little different. Given the lenient legislation, and cyber investigative difficulties, Whatsapp and Telegram are now part of the largest network for fraud-related activity and other illicit activities. Today it is possible to buy counterfeit notes, machines infected with banking trojan, money laundry accounts, credit cards, internet banking access data, PII, database, payment of bills and taxes, drugs, among other "products and services". The study shows an insight into how groups act, the main scams and especially how the use of counterintelligence can help in gathering information about targets. The result includes a broad analysis performed through counterintelligence techniques, where it was possible to map the main Techniques of OPsec employed by the attackers, which operating systems used, providers, geographic region among other information.

Hardware Witchcraft, the cult
of fault injection

Julio Della Flora

A palestra “The Cult of Fault Injection” demostra a possibilidade de subverter o fluxo de execução em software / firmware através da manipulação de condições ambientais em circuitos integrados. 

A classe de ataques conhecida como “fault injection” foi referenciada em palestras anteriores e será afunilada em exemplos práticos visando ataques baseados em tensão e campo eletromagnético. 

Em contato com a fabricante NewAE, parte das soluções fabricadas pela empresa foram disponibilizadas ao autor. Ferramentas como ChipWhisperer e ChipSHOUTER-PicoEMP serão utilizadas nas demonstrações, elevando a complexidade dos ataques e resultando em maior controle sobre os circuitos integrados comprometidos. 

Prilex: the pricy prickle credit card complex

Fábio Assolini & Fábio Marenghi

Prilex is a Brazilian originated threat actor that has evolved from an ATM-focused malware into a ​modular point of sales malware. They were behind one of the largest​​ attacks​​ to​​ ATMs in the country​​, infecting more than 1,000 ATMs and cloning 28,000 credit cards at once. But the greed of the criminals had no limit - they wanted for more, and they achieved it. 

Active since 2014, the group decided in 2016 to give up ATM malware and focus all their attacks on PoS systems, targeting the core of the payment industry. Quickly they adopted Malware-as-a-Service operations and expanded their reach abroad. Since then, we've been tracking every threat actor’s move, witnessing the damage and big financial losses brought to the payments industry.

In this presentation we’ll show how Prilex evolved from a simple memory scraper to a very advanced and complex malware, adopting an unique cryptography scheme, doing real-time patching in the targeted software, messing with replies, libraries and communications, switching from a replay based attack to be able to manipulate cryptograms, doing GHOST transactions, allowing to capture tracks even from credit cards protected with CHIP and PIN technology.

The audience will learn:

• Technical analysis on PoS malware coming from Brazil

• Operational details about how the attacks were carried out.

• The evolution and refinement of their techniques

• Cryptograms, Reply and GHOST based attacks

• PoS software vulnerabilities and vendors responses

• Trends and the future of the payments industry

Identidades e Acessos de Terceiros:
a dor de cabeça aumentou

Flávio Bontempo

No cenário pós-pandemia, aconteceu a explosão de credenciais de acesso para “terceirizados”, ou popularmente chamados de “terceiros”, que incluem: contratados, fornecedores, parceiros, afiliados, voluntários, estudantes, freelancers e inclusive bots.

Isto elevou o risco de uso malicioso destas credenciais que, recentemente, têm sido vetores frequentes de vazamento de dados e fraudes.

A dificuldade de manter uma governança centralizada destas identidades cria vulnerabilidades e riscos ocultos.Desde o Onboarding, até o Offboarding e o descarte. A própria aplicação do modelo de Zero Trust fica prejudicada em face dessa bola dividida.

Nesta sessão, vamos discutir os pontos de atenção do cenário atual e a aplicabilidade do modelo de Zero Trust na governança e gerenciamento de acessos de terceiros.