Log in to bookmark your favorites and sync them to your phone or calendar.

Friday, July 26

8:30am CDT

Registro de participantes en la segunda edición de Security BSides CDMX 2019

Friday July 26, 2019 8:30am - 5:00pm CDT
Universidad La Salle

9:00am CDT

Panel de bienvenida
Panel de bienvenida

Friday July 26, 2019 9:00am - 9:30am CDT
Universidad La Salle

9:30am CDT

A Study of Common Security Flaws Found in Mobile Banking Applications

A study conducted by analyst firm Aite Group examined the protective capabilities of 30 different financial services applications downloaded from the Google Play store. The research revealed nearly all of the apps could be easily reverse engineered to expose personally identifiable information, account credentials, source code, API keys and access to back end systems.

In this talk, we’ll demonstrate how – using commonly available tools – the researcher was able to reverse engineer these financial applications, revealing a systemic lack of application appropriate protection. We’ll outline the key vulnerabilities the research uncovered and share how you can protect your organization’s apps to protect against data breaches and resulting brand damage and financial loss.


Friday July 26, 2019 9:30am - 10:20am CDT
Universidad La Salle

9:30am CDT

Actividades diversas
Capture the flag, lockpicking, área de patrocinadores, música, snacks y mucha convivencia entre la comunidad.

Friday July 26, 2019 9:30am - 7:00pm CDT
Universidad La Salle

10:00am CDT

Criminal Inteligence, TRAME Protocols attacks and shutdown.
Little is currently known about the TRAME protocols, their interaction in SCADA and their failures in PCBs. Showing the real possibilities of stopping a meter, or attacking a power station without the need for malware can be exciting.

The TRAME’s routing system, like in the original ARPAnet, was based on the Bellman-Ford algorithm but with “split-horizon”, as in the Swedish TIDAS network but with an original improvement. This protocol allows to find optimal paths in meshed networks for each packet to transmit allowing the sharing of the same network by multiple services. SCADA in terms of data integrity and availability set by International Electrotechnical Commission (IEC) standard IEC-870-5-1 and ANSI C37.1. Sniffing the packets through the multiple uncorrected bugs makes the attack possible, manipulating the message that the control center receives, using this bug as a vector for a series of attacks. The protocols trames make possible the attack due to the bad functioning of the router PCBs. (TRAME +). A directed attack can stop the operation of a power station or a simple metro station.


Michael Hudson

CHAP Security
Michael Hudson is the founder of CHAP Security, which currently is the Executive Director of the Company. He is also CEO of INTROEXON Ltda, a Company that Develops Software for Medical platforms, doing research and development in Information Security, protection of patient data and... Read More →

Friday July 26, 2019 10:00am - 10:25am CDT
Universidad La Salle

10:00am CDT

Back to basics
Plática enfocada a lo básico de pentest, back to old school and no tools

Friday July 26, 2019 10:00am - 10:30am CDT

10:30am CDT

Atomic Threat Coverage: operationalized ATT&CK
There are plenty decent projects which provide analytics (or functionality) of specific focus (Sigma, Atomic Red Team, MITRE CAR). All of them have one weakness — they exist in the vacuum of their area. In reality everything is tightly connected — data for alerts doesn’t come from nowhere, and generated alerts don’t go nowhere. Each function, i.e. data collection, security systems administration, threat detection, incident response etc are parts of big and comprehensive process, implemented by multiple departments, which demands their close collaboration.

Sometimes problems of one function could be solved by methods of other function in a cheaper, simpler and more efficient way. Most of the tasks couldn’t be solved by one function at all. Each function is based on abilities and quality of others. There is no efficient way to detect and respond to threats without proper data collection and enrichment. There is no efficient way to respond to threats without understanding of which technologies/systems/measures could be used to block specific threat. There is no reason to conduct penetration test or Red Team exercise without understanding of abilities of processes, systems and personal to combat cyber threats. All of these require tight collaboration and mutual understanding of multiple departments.

In practice there are difficulties in collaboration due to:

Absence of common threat model/classification, common terminology and language to describe threats
Absence common goals understanding
Absence of simple and straightforward way to explain specific requirements
Difference in competence level (from both depth and areas perspectives)

That’s why we decided to create Atomic Threat Coverage — project which connects different functions/processes under unified Threat Centric methodology (Lockheed Martin Intelligence Driven Defense® aka MITRE Threat-based Security), threat model (MITRE ATT&CK) and provide security teams an efficient tool for collaboration on one main challenge — combating threats.


Daniil Yugoslavskiy

Daniil is leading Threat Detection team at Tieto Security Operations Center (SOC) in Czech Republic, Ostrava. Before that, he was responsible for processes and systems architecture development of Informzaschita SOC in Moscow, Russia. Daniil spent more than six years in Practical Computer... Read More →

Friday July 26, 2019 10:30am - 11:20am CDT
Universidad La Salle

10:30am CDT

Threat Hunting, beyond just tools
This presentation aims to explain that Threat Hunting is a Procedure that is necessary nowadays to identify advanced threats that security products do not recognize, and although there are tools that automate threat hunting, the Threat Hunting needs the commitment of several areas to properly manage the incidents, starting from Top Management, to digital assets owners. Methodologies that could be perfectly combined to start from scratch until an adequate level of maturity will be presented. Experiences will also be presented with the challenges that I have had to overcome in order to achieve an adequate implementation of Incident Management Processes.


Ramiro Pulgar

Blue Hat Consultores
I am Cybersecurity Consultant in Ecuador and other countries in Latam. I work in Blue Hat Consultores. I have been instructor of more than 1000 students in Latam teaching InfoSec topics. I have 20+ international infoSec certifications.

Friday July 26, 2019 10:30am - 11:20am CDT
Universidad La Salle

10:30am CDT

Beyond BOF
A workshop about heap based explotation attacks to exploit Linux-x64 based binary. Because heap is new sexy.

This Workshop is aimed to show what to do when all of the fancy buffer overflow tricks don’t work anymore.

The topics are:

Basic use of Pwndbg.
What is heap.
How heap works.
Why Feng Shui matters.
Relationship between libc and heap.
Security mechanisms.
Heap overflow challenge.
Fastbin Attack Challenge.


Yair Lopez

Mayas CTF Team | DieBartDie Team

Friday July 26, 2019 10:30am - 1:30pm CDT
Universidad La Salle

10:30am CDT

Applied Cryptanalysis

Based on CTFs, code analysis assesments and penetration testing, I can tell that Cryptography has been long forgotten by professional developers, security professionals and by almost everyone involved when securing a system, so a single error when hardcoding a key or an IV on the source code or a wrong operation mode can lead to great fun or great demise. There are multiple attacks, that involves mathematics, but these involve more than just that, and it gets more related to real comprehension of what an implementation is doing than to the hard problems.

This workshop is intended to guide newcomers to exploit real world bugs on cryptographic implementations, to help them with CTFs, school asigments or even their daily job.

Introduction to modern algebra
Basic Cryptographic Primitives
Attacks on modern cryptographic implementations. Part 1. Symetric Ciphers (AES and Stream Ciphers)
Attacks on modern cryptographic implementations. Part 2. Asymetric Ciphers (RSA and Digital Signature)
Automating attacks (Python for cryptography)
OPTIONAL Advanced Crypto (Attacks on blockchain, LLL algorithm, diferential cryptanalysis) [If time is enough…]


Fernando Castaneda Gonzalez

Mayas CTF Team || DieBartDie CTF Team
Infosec aficionado (脚本小子)

Friday July 26, 2019 10:30am - 1:30pm CDT
Universidad La Salle

11:30am CDT

The art of the hunt
HSBC’s Global Cyber Intelligence and Threat Analysis team will present their unique methods for identifying and tracking financially motivated cyber actors. Malicious cyber actors are increasingly using open source and widely available tools. HSBC will discuss their methods for identifying these tools and thwarting attacks before frameworks are operationalised. This talk will provide real case examples from Cyber Intelligence and Threat Analysis’ investigations over the last year


Iván González

J.R. Manes is HSBC’s Global Head of Cyber Intelligence and Threat Analysis. J.R. joined HSBC in 2018 after serving more than 12 years as a Cyber Special Agent with the Federal Bureau of Investigation (FBI). During his FBI career, J.R. led complex criminal and national security cyber... Read More →

Friday July 26, 2019 11:30am - 12:20pm CDT
Universidad La Salle

11:30am CDT

Threat Hunting on the Enterprise with Winlogbeat, Sysmon and ELK
While threat prevention is an important step to reduce the security risk on the organizations, it is not enough. As blue teamers, we must assume that at some point a threat is going to evade defenses and get an initial foothold on the organization, in such scenario, it is important to have the means to detect those attacks in an early stage so that the threat can be contained, and impact reduced. Defenders also need to perform retrospective investigations and do enterprise-wide searches, analyzing information of multiples devices at once. In this talk, we will show how to enhance endpoint visibility by using free tools such as Sysmon, Winlogbeat and ELK. By using ATT&CK as a reference model, blue teamers can create detections for several attack techniques based on the endpoint events, by targeting threat behavior, defenders can more effectively detect adversaries, even when they change their artifacts or infrastructure. Several examples will be shown on how the system can be used to detect several attack techniques such as: Live off the Land attacks: attackers using tools available on the endpoints such as wmic, cscript, net, PowerShell, net scripts Fileless attacks through PowerShell scripts (detections for PowerShell Empire and Unicorn will be shown) Lateral Movement (PSEXEC, wmic) Password spraying attacks (based on Window successful and failed logins visualization in Kibana) Persistence creation via the Windows registry, new services and other techniques Command and control callbacks Actions on objective, such as looking for passwords on the file system and Windows registry for lateral movement and privilege escalation In addition to Kibana, elasticsearch ELK API Known threats based on specific functions used in code (TTP), rather than file hash, IP address or domain, which allows for better detection, harder for attackers to evade. An example to detect a variant of Emotet will be shown While the human analyst is focusing on detecting TTPs, ELK API allows analysts to automate the search for indicators of compromise such as: IP addresses, domains and hashes, to programmatically detect known evil. We will also show how to integrate this solution with MISP Threat Intelligence Platform through API for automatic detection of Indicators of Compromise (IoC), such as file hash, domains and IP addresses. Credit will be given to researchers that have published information that has helped to build this system, such as Roberto Rodriguez, Mark Russinovich, SwiftOnSecurity, Florian Roth, Thomas Patzke.

avatar for David Bernal

David Bernal

David Bernal has 10 years of experience in information security and holds a bachelor’s degree in Computer Engineering from the National Autonomous University of Mexico (UNAM). Since June 2015 he serves as Lead Security Researcher at SCILabs in Scitum Cybersecurity Centre. He has... Read More →

Friday July 26, 2019 11:30am - 12:20pm CDT
Universidad La Salle

12:30pm CDT

Investigating BIOS/UEFI Malware Implants
In this talk I’m going to present the different types of UEFI/BIOS attacks and how these could be investigated using the right tools to discover possible malware implants.


Roberto Martínez

Kaspersky Lab
Professional Security Analyst & Threats Intelligence Researcher. Digital Forensics Investigator, Incident Responder, and Threat Hunter. Former Security Consultant and Trainer for Governments, Military, Intelligence Agencies, Financial Institutions and Private Corporations in Latin... Read More →

Friday July 26, 2019 12:30pm - 1:20pm CDT
Universidad La Salle

12:30pm CDT

Tezcatlipoca: Herramienta de simulación de adversarios
Se trata de una herramienta de simulación de adversarios, basada en la automatización de la ejecución de herramientas y técnicas conocidas de un atacante con la finalidad de evaluar la capacidad de reacción de una organización frente a un incidente. La herramienta contiene técnicas que simulan las actividades de un ataque real como ejecución de malware, navegación web, detección de servicios, explotación de vulnerabilidades públicas, sin limitarse a un marco de trabajo como MITRE ATT&CK. Algunas de las aplicaciones • Entrenamiento de equipos internos de seguridad • Evaluación del plan de respuesta a incidentes de la organización • Determinar el nivel de madurez de un equipo interno • Determinar eficiencia de la arquitectura de seguridad de una organización. Se presentarán cuáles son los casos en donde es viable la aplicación del enfoque de simulación de adversarios, ventajas y desventajas; y sus diferencias frente a todo tipo de evaluaciones.

avatar for Julio César Muñoz Hernández

Julio César Muñoz Hernández

Global Cybersec
Entusiasta del software libre, Open Source y la seguridad informática.Analista BlueTeam en Global Cybersec

Friday July 26, 2019 12:30pm - 1:20pm CDT
Universidad La Salle

1:30pm CDT

Horario de alimentos para los participantes de Security BSides CDMX 2019

Friday July 26, 2019 1:30pm - 3:00pm CDT
Universidad La Salle

3:00pm CDT

Hey Generacion Z! Han escuchado de Salinas? La RAT mas grande que jamas haya existido... en un Automovil
Hoy en día, cualquier automóvil reciente de hasta 5 años de antigüedad viene con algo llamado “Infotainment”, esta es una pantalla con apariencia de iPad que permite usar la navegación GPS, seleccionar su música favorita desde su telefono o iPod, hacer o recibir llamadas mientras habla a través de las bocinas del carro, o incluso perdirle al Automóvil que lea un mensaje SMS por usted, esto, junto con las últimas tecnologías de conducción totalmente automatizada ya no pueden ser ejecutadas por microcontroladores, se requiere de microprocesadores para soportar todas esas características, en otras palabras, el carro se ha convertido en un “PC on wheels”, esto es, otra computadora mas que puede ser hackeada, y, por lo tanto, el mundo comenzó preocuparse por la posibilidad de que su coche sea infectado con Ransomware o un Infostealer leyendo todos sus mensajes SMS mientras conduces, o que tal un Spyware escuchando lo que platicas dentro de tu carro! Todos esos escenarios solían ser hipotéticos hasta ahora , compramos un infotainment de un Mazda CX5 2017, accesamos a el y aplicamos ingenieria inversa a sus componentes de telefonia con un solo objetivo en mente: infectar el Infotainment con un malware tipo Remote Adminstration Tool (RAT), al cual le llamamos Salinas, que pueda robar los mensajes de texto del conductor, exfiltrarlos en tiempo real (asi como muchas otras actividades maliciosas) y que se pueda controlar de forma remota a través de mensajes de texto.

Durante esta platica, los principales componentes de un infotainment se describiran, asi como su funcionamiento, por otro lado, diferentes tecnicas y procedimientos se detallaran para todos aquellos que quieren entrar en el mundo de Car Hacking, como, UART access con BusPirate, interpretacion de Wiring Diagram, Remote Debugging on ARM, Single Stepping techniques, Reversing on ARM, vulnerabilidades usadas para obtener root shell, etc. Y habra demo en vivo!


Daniel Regalado

Sr. Malware Staff Researcher, Hack Defender
Daniel Regalado aka DanuX es un chavoruco chiapaneco con mas de 16 años chambeando y con alrededor de 12 concentrados en temas de seguridad, fue pentester en Mexico (al menos eso le hizo creer a las empresas donde trabajo) y en el 2008 emigro a los United States donde ha trabajado... Read More →

Friday July 26, 2019 3:00pm - 3:50pm CDT
Universidad La Salle

3:00pm CDT

Software exploting, desde lo ¿viejo? a lo ¿nuevo?
En este taller los asistentes aprenderán 2 técnicas de explotación de aplicaciones, SQLi lo viejo pero muy común con diferentes variantes no tan tradicionales (time/erro based) y Reflection, lo nuevo pero (todavía) no muy utilizado, permitiendo hacer una aplicación Java zombi.

Muchas las técnicas de explotación en aplicaciones han sido fallas que han sido más que reportadas y documentadas desde hace muchos años, por otro lado, los atacantes buscan técnicas novedosas para seguir comprometiendo las información contenida de las aplicaciones. En este taller los asistentes conocerán como identificar, explotar y remediar (a nivel código fuente) dos fallas de seguridad:

SQL Injection. Aquí se revisará una falla de seguridad viejísima, pero muy difundida actual y seguramente en el futuro, los asistentes realizarán la identificación y explotación de las variantes “basada en tiempo” y “basada en errores” de la vulnerabilidad SQL Injection, también se hará un ejercicio remediación de está.

Reflection. Si bien el uso de reflexión en los lenguajes de los programadores lleva un par de años, este no ha sido aún tan difundido. Sin embargo, para los usuario maliciosos, esta característica que poseen la gran mayoría de los modernos lenguajes de programación no ha pasado desapercibida. Aquí los asistentes conocerán de que trata la reflexión y como los atacantes hoy la utilizan, desarrollarán un programa que, mediante el uso de reflexión, harán zombi una aplicación Java ordenándole que haga lo que su “amo” le diga. También habrá un ejercicio para evitar atraques que utilicen esta técnica.

avatar for Carlos Isaac Sagrero Campos

Carlos Isaac Sagrero Campos

Licenciado en informática especialista en seguridad en aplicaciones, egresado del Tecnológico de Estudios Superiores de Ecatepec, cuenta con 10 años de experiencia en la definición, coordinación y ejecución de “hackeo” éticos, análisis de vulnerabilidades, pruebas de penetración... Read More →

Friday July 26, 2019 3:00pm - 5:00pm CDT
Universidad La Salle

3:00pm CDT

Web Vulnerabilities and Secure Programming
Many vulnerabilities exist in web services, mainly because unsafe coding. We’ll talk about the importance of secure programming to solve software problems, the most common vulnerabilities in different environments, how to exploit them and how to patch them.

There are many possible vulnerabilities in web services, but the main problem is when developing software with code defects. Approximately 50% of all errors (vulnerabilities) occur at the code level. In this workshop, we will talk about the importance of secure programming in any environment to solve software problems, there for which can be considered as the first line of defense to avoid breaches in the security of the program. We plan to list some of the most common vulnerabilities and how they still exist in different environments, we will show how to exploit them and how we can mitigate them by making code more secure. 15 min- Talk about common vulnerabilities 60 min- SQL Workshop 15 min- Break 60 min- Cross Site Scripting Workshop 15 min- Quick Review of the other vulns


Ana Ruíz

Ana Ruiz I’m Ana Ruiz but everybody calls me kika and I like it. The cybersecurity is one of my passions such as the music and skate roller. It arrive to my life when somebody invites me to be part of a cyber security group at the university, since that moment I decided that it... Read More →

Karina Sada

Ana Ruiz I’m Ana Ruiz but everybody calls me kika and I like it. The cybersecurity is one of my passions such as the music and skate roller. It arrive to my life when somebody invites me to be part of a cyber security group at the university, since that moment I decided that it... Read More →

Friday July 26, 2019 3:00pm - 5:20pm CDT
Universidad La Salle

3:00pm CDT

Cloud machine learning for cybersecurity
En este taller se ofrecera una MUY breve introduccion a machine learning y data science Y como se puede aplicar al area de ciberseguridad con ejemplos. Lo llevaremos a la practica utilizando Azure ML Studio.

Durante la parte teorica se explica una breve introduccion a Machine Learning (ML) y Data Science (DS).
Con especial interes en la clasificacion, que es lo que usaremos en los ejercicios.
Se utiliza Azure ML, no porque yo sea fan de MS, pero es una herramienta gratuita MUY sencilla de usar incluso para los principiantes (con su editor grafico).
Se revisaran opciones donde utilizar ML para seguridad (clasificacion de malware, deteccion de PDF’s maliciosos, deteccion de trafico malicioso)
Finalmente se aterrizara con un ejercicio de clasificacion de malware para android. Los datos para el ejercicio seran proporcionados, aunque se mencionara como extraer los datos.

Nota: texto sin acentos

avatar for Hugo Gonzalez

Hugo Gonzalez

Universidad Politecnica de San Luis Potosi, Universidad de New Brunswick, The Honeynet Project
Graduado del Canadian Institute for Cybersecurity. Profesor-Investigador en la Universidad Politecnica de San Luis Potosi. Miembro de The Honeynet Project. Desde el regreso de sus estudios, Hugo participa activamente en la comunidad de seguridad informatica a traves de charlas o talleres... Read More →

Friday July 26, 2019 3:00pm - 5:50pm CDT
Universidad La Salle

4:00pm CDT

Incident Response (region4) - Analizando campañas en México
During an incident investigation, our CIR team managed to detect TTP used by the clop ransomware threat actor. This includes anti-forensics, shell-coding, beaconing and lateral movement. In the talk we will show techniques to identify and analyze each artifact involved during the incident. And how the investigation was driven using threat intelligence to accelerate the analysis. Including the process to extract IOCs and how to exploit them. We will also talk about the capabilities needed by an organization that want to face these kind of threats.


Ricardo Zarazúa & Jongmin Park

We are incident responders from Deloitte Mexico. We have worked with big multinational clients dealing with crisis situations like massive ransomware, APTs, frauds, DoS, phishing and more. We have worked together with multi-disciplinary and multi-national teams to face threats. Our... Read More →

Friday July 26, 2019 4:00pm - 4:50pm CDT
Universidad La Salle

5:00pm CDT

The IoT (R)evolution : from software to (firm)ware
We’re living in an era of revolution when our homes and offices are being slowly populated with smart devices which are going to outnumber computers and mobile phones soon. But are we really aware of the risks? We are used to malware on computers. But do we really know what’s inside IoT devices?.

Continuation of the story of “how to become a hacker in a few minutes”, this talk shows you on one particular use case how easy is today, with respect to IoT security, to pivot and infiltrate someone’s network using IoT device. We present you a case of the camera, coffee maker and router which in orchestration allow the attacker to take over and bring down the network without (almost) any user interaction. We’ll discuss how to use insecure IoT and vulnerabilities for pivoting inside victims network and why the IoT problem is a matter of trust. Live demo of the attack chain that renders the network inoperable and held for ransom.

avatar for Martin Hron

Martin Hron

Avast Software s.r.o.
Currently security researcher at Avast. I lead research across various disciplines such as dynamic binary translation, hardware-assisted virtualization, IoT, firmware vulnerabilities and malware analysis. I’m devoted to technology and I’m a true software and hardware reverse engineer... Read More →

Friday July 26, 2019 5:00pm - 5:50pm CDT
Universidad La Salle

5:30pm CDT

OSINT, Inteligencia y criminalística. Cazando al "Monstruo de Ecatepec".
¿Y si pudiéramos utilizar la tecnología a nuestro favor para localizar a los delincuentes? Mi charla es el resultado de una investigación utilizando OSINT simple, hablaré sobre las técnicas que utilice para identificar comportamientos y patrones del “Monstruo de Ecatepec” responsable feminicidios.

En el año 2018 el gobierno de México reporto 1,634 personas no localizadas, usando la tecnología podríamos localizar a los delincuentes o prevenir futuros asesinatos. Durante la charla demostrare que utilizando OSINT sin herramientas de paga iremos descubriendo indicios en fuentes abiertas, bases de datos nacionales, noticias, redes sociales, fechas y personas que después de aplicar técnicas de análisis e inteligencia los resultados me permitieron posicionar dentro de un mapa al individuo con una aproximación aceptable. Si se usaran técnicas de criminalística en conjunto con ciberseguridad el “Monstruo de Ecatepec” estuviera preso hace 5 años o en el peor escenario un mes antes de su último asesinato.

Durante la charla mostrare el marco jurídico mexicano sobre fuentes abiertas, así como una breve descripción sobre personas extraviadas y que hacer en caso de tener un conocido extraviado. Deseo que mi presentación sea aceptada ya que intento crear conciencia que podría motivar a generar tecnologías sin ánimo de lucro que permitan dar soluciones a delitos criminales acortando análisis y apresurando la detención de probables responsables.



Soy Hedeky

Friday July 26, 2019 5:30pm - 6:20pm CDT
Universidad La Salle

6:00pm CDT

Blue is the new sexy: Practical tips & tricks on how to create a blue team and threat hunting capability
How to build a cybersecurity team? There is not a bulletproof recipe about it, however, there are good ways to achieve it. We’ll talk about the most interesting challenges during the process and we will share many tips and tricks to build teams focused on the threat hunting and incident and response.

It is possible to build solid cybersecurity teams with a focus on defense, threat hunting, and incident handling. This talk is solution oriented and we will focus on giving advice, tips, and tricks that have worked for us after building various teams and after a series of success and failure cases.

During the talk using illustrative scenarios, we will address the challenges that security teams face and how we have resolved them to build a solid, diverse team with efficient threat detection and incident resolution capabilities in record time.

Seek non-standard solutions (sometimes radical) and open mind has been key during all processes involving the construction of the team.


Victor Gómez

Old school cybersecurity professional focused on DFIR and Threat Hunting.

Friday July 26, 2019 6:00pm - 6:30pm CDT
Universidad La Salle

6:00pm CDT

Mature, Secure and Vulnerable. Hackers still hold your privacy in their hands
Mobile operators understand the SS7 security problem and protect signaling networks. We have found out SS7 has vulnerabilities that allow bypassing any security tools. I will demonstrate how an intruder can perform any attack against subscribers in mobile networks protected by mature security tools.

New technologies are constantly appearing in our life. Nowadays the mobile world is moving to 5G. However, there are billions of subscribers who still use GSM and UMTS networks, which rely on the SS7 (Signaling System #7) protocol stack. When the SS7 stack was being developed, it was supposed to be used as an isolated network within a small club of big telephone operators with a high level of trust. Developments in telecommunications brought their own correctives. Firstly, the number of operators has been growing rapidly. Secondly, in the early 2000s, SS7 got the possibility of sending signaling traffic over IP networks with a new specification called SIGTRAN. The SS7 network stopped being isolated and the small club stopped being small. Now an intruder can easily connect to an SS7 network and perform attacks specific to mobile operators, such as location tracking, service disruption, fraudulent activity, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA – the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks. Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update. I will demonstrate how an intruder can perform the above-mentioned attacks against subscribers in mobile networks protected by mature security tools. I will explain why it is possible and how networks and security equipment react to malicious traffic. In addition, I will give recommendations to mobile operators on how to improve security on their networks.

avatar for Sergey Puzankov

Sergey Puzankov

Positive Technologies
Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems... Read More →

Friday July 26, 2019 6:00pm - 6:50pm CDT
Universidad La Salle

6:30pm CDT

Breaking Smart [Bank] Statements
Explanation of how I find and exploit a security flaw (bad implementation of cryptography) in a bank statement, sent via email, of one of the biggest banks in Mexico.


Manuel Nader

Security Researcher at Trustwave. Previously I work as a security consultant

Friday July 26, 2019 6:30pm - 6:50pm CDT
Universidad La Salle

7:00pm CDT

Cierre de la segunda edición de Security BSides CDMX 2019 y entrega de premios y regalos, agradecimientos finales y despedida

Friday July 26, 2019 7:00pm - 7:40pm CDT
Universidad La Salle

8:00pm CDT

Fiesta de cierre BSides CDMX 2019
Fiesta de cierre BSides CDMX 2019

Friday July 26, 2019 8:00pm - 11:00pm CDT
Celtics Pub Irlandés Condesa

Twitter Feed