Presentations – IT-DEFENSE 2025
20 Years of SAP Cybersecurity – Andreas Wiegenstein & Xu Jia
Most music bands publish some kind of “Best of” album once they have reached a certain age. Well, even though we are no music band, we have reached a certain age. This presentation is a roller coaster ride through different types of vulnerabilities that we have discovered in the SAP universe in the last 20 years. These vulnerabilities are closely linked to different SAP technologies and their design as well as the pitfalls they involve. If you think that SAP is “only a database”, you might be “SAPrised”.
This talk will be held in German.
Do Not Believe Everything You Think: on Fallacies and Other Confusions of our Brain – Prof. Dr. Martin Korte
This presentation sheds light on mechanisms of thinking and their biases and on how they can influence – and sometimes also distort – our decisions. Especially in relation to HR decisions – from hiring to evaluating and promoting people – we are required to base our decisions on criteria that are as objective as possible in terms of a selection of the best. This is why it is particularly worthwhile here to tackle the conscious and unconscious thought processes that could run counter to this demand.
In this presentation, Prof. Dr. Martin Korte will talk about the insights of neurobiology and explain how we can use this knowledge to improve our decisions in both our professional and private lives. He will explain how our brain works and describe the evolutive accidents that influence our thinking.
This talk will be held in German.
Hacker’s Perspective on New Risks: Revising the Cybersecurity Priorities for 2025 - Paula Januszkiewicz
The transformation is gaining momentum! Over the last tumultuous years, investments in digital transformation have been growing, with companies worldwide exploring its potential by introducing new technologies, approaches, and social changes. As more data than ever is put online, cybersecurity is now a major concern for everyone – large corporations, governments, and companies of all sizes. The transformation, however, also has its dark side. Thanks to it, hackers are able to exploit vulnerabilities in the infrastructure with even greater precision than before.
As the financial, operational, legal, and reputational implications of neglecting cybersecurity risks could be considerable, well-known analysis & protection methods should be developed and complemented.
During this presentation, the most serious risks of 2025 will be explored and explained. Paula Januszkiewicz will demonstrate how hackers and cybercriminals identify and exploit threats using the most up-to-date techniques so that you can observe them on your monitoring system and prevent them in the future. You will also become familiar with the most advanced phishing attacks, credential theft techniques, ransomware distribution methods, and ways of gaining access to vendor-controlled systems.
Join Paula to understand what is really possible in the year 2025. As the cyber transformation leads to better effectiveness of hackers' activities, there is no time to lose!
This talk will be held in English.
Vulnerablities in TETRA:BURST - Jos Wetzels
This talk will present details of the TETRA:BURST vulnerablities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure relying on secret cryptographic algorithms which have remained secret for over two decades but which we reverse-engineered and published in August 2023.
This secrecy has thwarted public security assessments and independent academic scrutiny of the protection that TETRA claims to provide. In this talk, we will discuss these cipher suites (TEA and TAA1 to be precise). As we will show, this security-through-obscurity has led to previously undisclosed flaws in Air Interface Encryption (AIE), authentication, and identity protection schemes going unnoticed and unaddressed, enabling both passive and active adversaries to intercept, manipulate, and inject TETRA network traffic.
This is particularly worrying for TETRA users in critical infrastructure, as found across the world at electric utilities, railways, and oil & gas. Here, the radio-based SCADA WAN networks (carrying protocols such as IEC-101/104, DNP3, or Modbus) typically cover large geographic areas and as such an SDR-equipped attacker residing outside the physical perimeter of a substation or plant could break into the TETRA network to drop themselves directly into the OT network. We will discuss several relevant attack scenarios on such TETRA SCADA networks as used at electric utilities and railways as well as corresponding hardening and mitigation advice.
In addition, we will provide a demonstration of such an attack scenario and discuss the new developments in TETRA security since our initial disclosures.
This talk will be held in English.
NIS-2, RCE and CRA - on Tour through the Jungle of Regulations - Dr. Christoph Wegener
A large number of regulatory requirements on a European level has seen the light of day in the last two years. The “directive on measures for a high common level of cybersecurity across the Union (NIS-2)”, the “directive on the resilience of critical entities (RCE)” and the “regulation on horizontal cybersecurity requirements for products with digital elements (CRA)” are currently particularly relevant in the context of information security.
Due to the typical complexity of these (EU) requirements, it is often difficult to find out whether one is affected by them, and the precise requirements and implementation deadlines are also often unknown. The presentation sheds light on this and provides answers to the questions typically asked by potentially affected entities: “Are we affected as an entity?”, “Which requirements do we now have to fulfill?” and “How much time do we have for this?”. In addition, the presentation shows which implementation guides exist – if there are any at all – and how to appropriately organize each step on the way to the goal.
This talk will be held in German.
How Big Is Our Cyber Risk? – Peter Wimmer & Stefan Koppold
Security experts have often heard this question being asked by boards of directors. When TRATON, Volkswagen Group’s truck branch, wanted to join a new group cyber risk insurance, it was necessary to create a precise calculation of the entire cyber risk for TRATON Group.
For this purpose, the risk, treasury and information security departments of TRATON developed an interdisciplinary approach for an aggregated monetary risk analysis. The evaluation of the overall risk – not only of the specific risks of an individual brand – shall take the following into account:
- Ranges of risks need to be evaluated, i.e. not only singular scenarios but also average and extreme cases (those that make the headlines).
- Dependencies with business units (e.g. production, logistics, legal and IT) need to be considered as well.
About 20 relevant cyber risk scenarios were identified in the areas of cyberattack, data security, business continuity and (being a company in the automotive sector) road security, which were analyzed for each main brand in 55 cases.
The impact of these scenarios on the entire group was then analyzed using Monte Carlo simulations and cumulative distribution functions.
Finally, a verifiable quantification of the group’s overall cyber risk and a realistic dimensioning for the deductible and the amount insured were developed. The procedure is explained in this presentation.
This talk will be held in German.
Vishing > Phishing: Initial Access Made Simple – Hagen Molzer
For some time now, it has been apparent that there is a shift from phishing to vishing (voice phishing) as a vector for the initial access phase in real attacks against companies. As a professional provider of simulations of such attacks in the form of red team exercises, we are also adapting to this trend. Phishing via email has long been one of the most popular attack vectors to gain initial access to an organization’s internal network. Being successful with this is getting more and more difficult due to the different technical and organizational measures on the part of our customers and because employees are increasingly aware of the risks from phishing via email.
This is why we also increasingly often use vishing instead of phishing to achieve our goal. In this talk, we will explain the advantages of this alternative vector and outline one possible (and often alarmingly successful) procedure. We will also describe the technical infrastructure and common social engineering techniques we use to gain our “victim’s” trust and willingness to cooperate.
Finally, both technical and organizational countermeasures will be explained to reduce the risk that these types of attacks are successful.
This talk will be held in German.
Who Controls the Network, Controls the Universe – Nate Warfield
For some time now, it has been apparent that there is a shift from phishing to vishing (voice phishing) as a vector for the initial access phase in real attacks against companies. As a professional provider of simulations of such attacks in the form of red team exercises, we are also adapting to this trend. Phishing via email has long been one of the most popular attack vectors to gain initial access to an organization’s internal network. Being successful with this is getting more and more difficult due to the different technical and organizational measures on the part of our customers and because employees are increasingly aware of the risks from phishing via email.
This is why we also increasingly often use vishing instead of phishing to achieve our goal. In this talk, we will explain the advantages of this alternative vector and outline one possible (and often alarmingly successful) procedure. We will also describe the technical infrastructure and common social engineering techniques we use to gain our “victim’s” trust and willingness to cooperate.
Finally, both technical and organizational countermeasures will be explained to reduce the risk that these types of attacks are successful.
This talk will be held in English.
Cybersecurity’s New Imperative: Defending Enterprise and National Cognitive Infrastructures - Winn Schwartau
A long time ago, on June 27, 1991, Winn testified before the US Congress and was asked, “Mr. Schwartau: Why would the bad guys ever want to use the internet?”
Today, our cognitive infrastructure is under attack, and humanity needs cybersecurity professionals more than ever. Reality is only a keystroke away.
Metawar is the art and science of manipulating your reality. It is the battle for control over one’s belief systems, identity, and sense of reality outside one’s conscious awareness. Reason and emotion are incompatible operating systems.
Big Tech is digitally terraforming the planet’s future cognitive infrastructure, Web 3.0, with little concern for the downsides. The metaverse is an evolving, immersive storytelling environment designed to be the most powerful and addictive reality distortion machine ever conceived. It will also predict and anticipate your every desire and every move!
On the global stage, metawar represents the sixth domain of warfare. They who control the technology control the narrative. We have no choice but to learn how to coexist with the reality-distorting technologies we have created by implementing technical, policy, and cognitive defenses to protect our sense of truth, reality, and self-identity.
Winn’s keynote is a call to action.
The cybersecurity community is among the best problem solvers the planet has ever seen. It acts as a team, a collective of like-minded individuals with an amazing array of skills who stop at nothing to achieve their aims—against all odds. Winn challenges us with a new goal: Strengthen and defend the human mental immune system. Our brains, sensory nervous systems, and minds are the new attack surfaces. Will the cybersecurity community rise to the challenge of solving the most existential threat it has ever faced? Or not.
To survive, humanity must adapt to and coexist with technology.
This talk will be held in English.
The Imposter’s Guide to Hacking… Without Technical Talent! – Jayson E. Street
Hear from a lifelong imposter who has been fooling people for decades! Watch examples of the no talent and lack of technical know-how hacks using just a credit card and imagination. See a new perspective on utilizing everyday devices and toys being repurposed with almost zero modification into attack tools. Marvel at the audacity of this speaker’s declaration of his right to be called a hacker! Listen to this “pick me guy’s” virtue signaling rants on subjects that he can only be considered a tangible ally on at best! Try to make it to the end of his talk where he casts judgments and harsh critiques on a community that is failing so many of us with nonsense standards and prejudiced expectations which are only there to appease gatekeepers whose insecurities fuel the toxicity in OUR community! Oh, and there will probably be some memes so yeah that’ll help!
This talk will be held in English.
Windows Hello abuse - the sequel - Dirk-jan Mollema
Windows Hello and its enterprise variant Windows Hello for Business (WHFB) are modern passwordless authentication methods that are promoted by Microsoft as secure, hardware bound and resistant to phishing attacks. Last year, we already saw that many of the security features did not exactly hold up, and that it was possible to provision WHFB methods without MFA, use them for lateral movement on other accounts and for movement from Entra ID to on-prem AD via cloud Kerberos trust. In this talk, we will cover even more WHFB abuse, showing how WHFB keys can be provisioned during phishing scenarios, including device code phishing and credential phishing. We will also talk about how Windows Hello keys are protected and used on Windows devices, showing how attackers can use the keys for lateral movement and persistence once they have access to a user’s session. Lastly, we will explore what this means for you and how you can best defend yourself against these attacks.
This talk will be held in English.
Your Copilot Is My Insider – Inbar Raz
The race to capture the benefits of GenAI is already at full speed, and everybody is diving head-first into putting corporate data and operations in the hands of AI. The concept of a Copilot has emerged as a way to keep AI tamed and under control. However, while employees rarely cross the lines and become rogue, it turns out that Microsoft Copilot is rogue by design.
In this talk, we will show how your Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over-permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI and expose how this exacerbates the prompt injection attack surface, leading to material impact on integrity and confidentiality. It's just like having an insider at your competition!
Next, we will present CopilotHunter, an open-source recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft’s platform, and generalized insights on how to build secure and reliable Copilots.
This talk will be held in English.