| Follow @lancinimarco

Projects

The "Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape, hand curated by myself. Knowing how difficult it is to stay up to date with all the different news and releases occurring in this industry, I hope this will be helpful for other people who are particularly interested in this corner of the security scenario.
I've been a Technical Reviewer of the "Cloud Native Devops with Kubernetes" book.
GoScan is an interactive network scanner client, featuring auto-completion, which provides abstraction and automation over nmap.

Although it started as a small side-project I developed in order to learn @golang, GoScan can now be used to perform host discovery, port scanning, and service enumeration not only in situations where being stealthy is not a priority and time is limited (think at CTFs, OSCP, exams, etc.), but also (with a few tweaks in its configuration) during professional engagements.

GoScan is also particularly suited for unstable environments (think unreliable network connectivity, lack of 'screen', etc.), given that it fires scans and maintain their state in an SQLite database. Scans run in the background (detached from the main thread), so even if connection to the box running GoScan is lost, results can be retrieved asynchronously. That is, data can be imported into GoScan at different stages of the process, without the need to restart the entire process from scratch if something goes wrong.

In addition, the Service Enumeration phase integrates a collection of other tools (e.g., EyeWitness, Hydra, nikto, etc.), each one tailored to target a specific service.
Offensive ELK is a custom Elasticsearch setup, aiming to show how traditional “defensive” tools can be effectively used for offensive security data analysis, helping your team collaborate and triage scan results.
In particular, Elasticsearch offers the chance to aggregate a multitude of disparate data sources, query them with a unified interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.
The iOS Security Testing Framework. Needle is the MWR's iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections.

The release of version 1.0.0 provided a major overhaul of its core and the introduction of a new native agent, written entirely in Objective-C. The new NeedleAgent is an open source iOS app complementary to Needle, that allows to programmatically perform tasks natively on the device, eliminating the need for third party tools.

Needle has been presented at and used by workshops in various international conferences like Black Hat USA/EU, OWASP AppSec and DEEPSEC. It was also included by ToolsWatch in the shortlist for the Top Security Tools of 2016, and it is featured in the OWASP Mobile Testing Guide. On the week of its release, it reached #3 on Netsec, the first page of Hacker News, and it was trending on Github.
Talks:
       BlackHat Arsenal USA 2016
       OWASP AppSec USA 2016
       BlackHat Arsenal EU 2016
       BlackHat Arsenal USA 2017
Workshops:
       DEEPSEC 2016
The Offensive iOS Exploitation workshop is an exercise-driven training course that uses detailed tutorials to guide the attendees through all the steps necessary to exploit a real iOS application, and in the process, provide them an understanding of the modern attacker's mind-set and capabilities. The course cover iOS hacking, from the basics of vulnerability hunting on the platform to advanced exploitation techniques. In addition, this workshop use MWR's newly released "Needle" to identify and exploit all the common mobile application security flaws, over and above the OWASP Mobile Top Ten.

At its conclusion, it will have imparted the information necessary to develop secure and robust applications. Other take-aways will include how to develop secure mobile applications that can withstand advanced attacks, how hackers attack mobile applications and iOS devices, and the most up to date and effective secure coding practices.
Workshops:
       DEEPSEC 2016
Technical Reviewer in the peer review process of some IEEE Journals (i.e., 'Transactions on Emerging Topics in Computing (TETCSI)').
Technical Reviewer of the security-related chapters of the "500 Lines or Less" book.
Media:
       Release Warning (AOSABOOK - 09 July, 2016)
       Book Release (AOSABOOK - 12 July, 2016)
       500 Lines or Less Release (AOSABOOK - 12 July, 2016)
AndroRAT++ is a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application (AndroRAT). The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information, and using the device for malicious purposes. The attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. An exploit kit has been embedded in the source code of AndroRAT++: the attacker can then silently obtain root privileges and, therefore, complete access to the device.
Talks:
       BSides Vienna 2014
As first contribution to the OWASP Project, I was assigned to team responsible for the translation of the Top 10 2013 in Italian.
We pointed out the security weaknesses of using Social Authentication (SA) as part of a two-factor authentication scheme, focusing on Facebook's deployment. We have designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker. We then revisited the SA concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software.
Awards:
       NATO CCDCOE Best Student Thesis Award, as the best thesis published on cyber defence topics. Awarded during the International Conference on Cyber Conflict (CyCon 2014), Tallinn
       'Innovation in Information Security' Thesis Award (Premio Tesi Clusit: 'Innovare la sicurezza delle informazioni'), as the 2nd best thesis published in Italy in 2013. Awarded during the Security Summit 2014, Milan
Papers:
       All Your Face Are Belong to Us: Breaking Facebook's Social Authentication (ACSAC 2012)
       Faces in the Distorting Mirror: Revisiting Photo-based Social Authentication (CCS 2014)
       Social Authentication: Vulnerabilities, Mitigations, and Redesign (DEEPSEC 2014)
Talks:
       CyCon 2014
       DEEPSEC 2014

Conference Talks

Needle's progress was shown at Black Hat USA, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal USA, Las Vegas, USA.
Media:
       Arsenal Lineup (Tools Watch)
Pushing the Jesus Phone through the eye of a needle, an introduction to MWR's iOS Security Testing Framework
Conference:
       MWR Briefing, London, UK
The first iteration of the "Offensive iOS Exploitation" workshop has been delivered at DEEPSEC 2016.
Conference:
       DEEPSEC, Vienna, Austria
Media:
       Syllabus
       DEEPSEC Promotion (DEEPSEC - 04 September)
Needle's progress was shown at Black Hat EU, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal EU, London, UK.
Media:
       Arsenal Lineup (Tools Watch)
Needle's architecture, capabilities and roadmap have been presented at AppSec USA. During the talk it was also demonstrated how Needle can be used to find vulnerabilities in iOS applications from both a black-box and white-box perspective (with a demo of the tool in action).
Conference:
       OWASP AppSec USA, Washington DC, USA.
Media:
       MWR LABS Publication
Needle has been publicly released Black Hat USA, with a live demo of its capabilities.
Conference:
       Black Hat Arsenal USA, Las Vegas, USA.
Media:
       Arsenal Lineup (ToolsWatch)
       Black Hat Promotion, Twitter (Black Hat - 23 July)
       Black Hat Promotion, Facebook (Black Hat - 23 July)
       Needle iOS security testing tool to be unveiled at Black Hat Arsenal (Help Net Security - 01 August)
       Black Hat USA Photo Gallery (Help Net Security - 04 August)
       A quick intro to Needle (MWR Labs - 17 August)
At BSides Vienna 2014, Roberto Puricelli and me delivered a talk based on Androrat++, a proof-of-concept mobile malware.
Conference:
       BSides Vienna, Vienna, Austria.
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
Conference:
       DEEPSEC, Vienna, Austria
At CYCON 2014 I delivered a talk based on my Master Thesis, for which I won the NATO's Best Thesis Award as the best thesis published on cyber defence topics.
Conference:
       International Conference on Cyber Conflict (CyCon), by NATO CCDCOE (Cooperative Cyber Defence Centre of Excellence), Tallinn, Estonia
Session:
       Student Paper Session with Best Student Thesis Award

Conference Papers

The article I submitted and presented at DEEPSEC 2014 has been published in the "In Depth Security (Proceedings of the DeepSec Conferences)" book.
At DEEPSEC 2014 I delivered a talk based on my Master Thesis: "Social Authentication: Vulnerabilities, Mitigations, and Redesign". In addition, an excerpt of the work has been published by the Magdeburger Institut für Sicherheitsforschung in the volume "In Depth Security - Proceedings of the DeepSec Conferences" of the Magdeburger Journal zur Sicherheitsforschung.
Conference:
       DEEPSEC, Vienna, Austria
Conference:
       Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), Scottsdale, AZ. (acceptance: 19.4%)
Authors:
       Iasonas Polakis, Panagiotis Ilia, Federico Maggi, Marco Lancini, Georgios Kontaxis, Stefano Zanero, Sotiris Ioannidis, Angelos D. Keromytis
Conference:
       Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), Orlando, FL. (acceptance: 19%)
Authors:
       Iasonas Polakis, Marco Lancini, Georgios Kontaxis, Federico Maggi, Sotiris Ioannidis, Angelos D. Keromytis and Stefano Zanero
Subsequent Talks:
       Hek.SI 2013 (Ljubljana, Slovenia)
       HackCon 2013 (Oslo, Norway)
       Also covered by ComputerWorld