Security B-Sides London

1

David Rook
@securityninja

Windows Phone 7 platform and application security overview

Windows Phone 7 is the latest mobile operating system from Microsoft and is the youngest of all the major smartphone operating systems. Since it was released in late 2010 it has gained a small share of the smartphone market but this is likely to increase significantly with Nokia now using it as the OS for their flagship models.
The young age of the OS and the small market share size means there has been very little security research carried out against this platform so far. This means that developers and security professionals are working with this platform without a detailed understanding of the security features and potential shortcomings.
Security should be part of the DNA of any application which stores or transmits sensitive data but how many of the developers with published applications understand common mobile application security vulnerabilities and more importantly how many know how to prevent them in their own applications?  This presentation will detail the security features of Windows Phone 7 with an emphasis on how developers can produce Windows Phone 7 apps that are free from common mobile application security vulnerabilities.

This talk will start by looking at why we should care about mobile security, what the implications are for developers and security professionals and how mobile manufacturers and network operators are now a big part of your threat models and how their approach to security could undermine your application security efforts.  I will then focus on the security model and features of Windows Phone 7 and how these features compare to those found in the iOS and Android operating systems.

The final part of this talk will focus on the types of vulnerabilities seen in mobile applications over the past few years and how developers can ensure their Windows Phone 7 apps are free from these vulnerabilities. This will include reviews of insecure and secure code samples from real world applications.

This talk will arm developers and security professionals with an understanding of the Windows Phone 7 security features and the guidance they need to produce secure Windows Phone 7 apps.This talk will include demonstrations of Windows Phone 7 security tools that I'm developing such as the Windows Phone App Analyser.

Techies, Any Geek

4

Can be filmed and released

No

60 minutes

2

Gavin Ewan
@jac0byterebel

A Salesman's Guide to Social Engineering

Social Engineering is currently one of the buzz terms within the hacking field. Like children with new toys, hackers everywhere white hat, black hat and everything in between are rushing to learn just what Social Engineering is and how they can add it to their arsenal.

In this talk, I  will take an entirely different approach to the Social Engineering talks your are used to and show how lessons can be learned from one of the oldest, most durable professions, that of the salesman. I will talk about the true master salesman, one who can quickly identify their customer’s train of thought and what signals they will respond to in order to gain a sale and show how many useful parallels there are between a good sales process and a Social Engineering attack/penetration test.

I will briefly go through some models that have been taken from psychology and applied to sales, but I will use them to apply directly to Social Engineering. You will be surprised how well they fit and how little alteration is needed! I will show how everything from searching for information on buyers to handling objections to a sale can be used in an a SE attack (Same process for researching a target? Objection handling for dealing with curious/vigilant security?).

For those of you who are more comfortable behind a computer screen than in front of people, don’t worry, I will show why the current line of thinking in information security that Social Engineering is limited to those with 'the gift' is wrong and show exactly how you can apply these techniques and why those who seem to be ‘gifted talkers’ fail almost everytime.

Once I have looked at the attack vectors I will do the only right thing and show exactly how these very attacks can be better defended against. I will present firstly why as information security professionals we should be scared of the fact so much Social Engineering skill is out there, then I will seek to present exactly how we can leverage this skill to not only benefit ourselves during penetration testing, but also to shore up our clients defences against these very attacks.

I will then show you how a process that is used every day by organisations, big and small, can be tweaked and applied to your organisation in order to protect you, your employees and importantly your customers and their data against Social Engineering attacks.

By the end of this talk you will be left with plenty of food for thought from your time with an multi-award winning salesman turned ethical hacker. You will have categorised yourself according to one of my key people types and know what SE would be more effective against you. You will also be able to start looking for those same signals in others, your friends, your workmates, your targets? You will be armed with the process that I use in an SE attack and the tools to do some thinking and research to make your own similar process.

Any Geek

3

Can be filmed and released

Yes

60 minutes

3

Javvad Malik
@J4vv4D

ENGLISH MOFO? Do you speak it?

Business leaders need to make decisions on how best to sustain and grow their business without taking on an unnecessary amount of risk. However, many times they are unable to make the right decision because of the way security risks are presented to them. They may as well be speaking a different language.

Most security professionals end up frustrated by the lack of understanding the business has and even more so when their pragmatic solutions are overlooked by senior business people in favour of a vendor-driven solution filled with marketing buzzwords such as APT or Cloud computing.

This talk is aimed towards security professionals looking to increase their success rate in helping the business understand and manage their risks better.

Techies, Business, Any Geek

3

Can be filmed and released

No

30 minutes

4

Nick Selby
@nselby

The Do Over: Building A Green-field F500 Infrastructure

When a targeted nation-state sponsored attack was launched against a F500 which had for years under-invested in its IT and its security, the company had only one choice: build a totally new, secure, global IT infrastructure from the switches and routers up. And it had to decide on how to do it in less time than most people take to choose a good-sized flat screen from Best Buy.  

This talk describes the environment, the attack, the response and the choices made when a large enterprise has the opportunity to start anew - if you could replace every single thing in your environment tomorrow, and money was no object, what would you buy? How would you implement it? How would you train your organisation to use it, and change its culture from what you had - where IT, and particularly information security, clearly was not a consideration - to one in which IT and information security are trusted partners of the business? And how would you make sure that you never get into this situation again?  

If your answer doesn't affect what you do next year, you're not paying attention.

Techies, Business

4

Sorry only for those attending

Yes

60 minutes

5

Robin Wood
@Digininja

Breaking in to Security

At least once a month someone asks me directly, or through a mailing list, how to get started in security. Some of these people are coming out of university or college and some are moving across from other careers.

This talk is aimed at those people and hopes to answer all the commonly answered questions. To do this I've surveyed the industry (The survey is here if you would like to contribute http://www.surveymonkey.com/s/GHBPF6G ) and will present the collated results.

I'll be aiming to answer the eternal questions such as "Do I need to program and if so which language?" and "Which cert is the best?"

I hope to finish off with a short competition for people looking to move with the winners getting a chance to get some of their questions answered.

Techies, Business, Any Geek

1

Can be filmed and released

No

60 minutes

6

Christopher Boyd

Fus Ro Dah!

In-game advertising is becoming more visible (and in some cases, more intrusive) in the world of console, PC and mobile gaming. In many cases, disclosure related to what's happening with your PII is as bad (if not worse) than the poor practices of the Adware industry prior to clean ups brought about by the FTC and the NYAG.

Where is your data going? What are you consenting to when installing that "free" app? Which advertising networks are serving you "relevant" targeted advertising while playing the latest FPS?

From the first in game ad from 1978 to the present day where as many as 40+ EULAs compete for your attention while installing a free game, this presentation will look at the history, development and current state of in game advertising and how it affects anybody wanting to simply play a game on their PC, console or phone.

If you want to know why console users now use Hosts files to block adverts, understand the difference between static and dynamic advertising, see examples from the history of in-game promotions, learn some of the tricks used to ensure gamers view adverts in gaming sessions and explore the possible directions in game advertising could take then this is the talk for you.

Any Geek

3

Sorry only for those attending

No

60 minutes

7

Kizz MyAnthia
@Kizz_My_Anthia

Mapping The Penetration Tester's Mind: 0 to Root in 60 Minutes

Mapping the Penetration Tester’s Mind is a bridge gap series made to bring information technology professionals, auditors, managers, penetration testers and all those with an interest in information security to an equal understanding. Many times an auditor, manager, or compliance officer understands that a Penetration Test is required and the importance of having it done, but may not understand how it is performed or why certain actions were made. Mapping the Penetration Tester’s Mind will allow these professionals to gain insight in to how a Pen Tester looks at the project from start to finish, including viewing the SOW, applying methodologies and experience, target selection, exploitation, evidence collection, and reporting. Mapping the Penetration Tester’s Mind will not only present the ideals that are used to perform a test, but will also arm the attendees with the information and knowledge to ensure that they are choosing the right Pen Tester for their engagement. This material has never been presented with this type of focus or insight from an experienced tester like this before. Mapping the Penetration Tester’s Mind is sure to provide every attendee a high value of return and a better understanding of the “dark art” of penetration testing making it the bright light at the end of the tunnel.

Techies, Business, Any Geek

3

Can be filmed and released

No

60 minutes

8

Chris Edmunds
@chrisjedmunds

Closing the 0day window, or, "lol why haven't they patched that yet"

So often a simple recommendation on a pen test report is "Apply the patch" and either it doesn't happen or takes seemingly ridiculous amounts of time to be deployed. In this presentation I aim to discuss the hurdles facing any security team in trying to see a patch pushed out, as well as looking at about the various challenges facing larger companies in getting a security vulnerability patched in production.

Hopefully I will be able to both provide some insight to the testing community as to why this happens, also offering up some best practice ideas that I've seen used, as well as discussing some (anonymous) examples of how not to do it.

Techies, Business

1

Can be filmed and released

No

30 minutes

9

Jason Alexander
@0wasp

Building a SDLC utilisng OWASP resources

in this presentaion I will  show how the free and open resources of OWASP (Open Web Application Security Project) can be utilised to initially measure the current status and maturity of security within your software development life cycle and then drive improvements at every stage. From setting security requirements and implementing standards to developer training, software testing and all importantly measuring results.

Business

3

Can be filmed and released

No

30 minutes

10

Xavier Mertens
@xme

Does your data belong to Pastebin?

During my talk, I'll present a small tool that I wrote to monitor the content posted on pastebin.com. This website is more and more used to disclose interesting information. By keeping an eye on the content, you can discover interesting data like some corporate data! Like marketing guys monitor social network to track what has been said about a brand, security guys must follow what has been posted from a security point of view (email addresses, logins, CC# or any other data leaks).

Techies, Business

1

Can be filmed and released

No

30 minutes

11

Ian Maxted
TheJeffVader

Social Engineering - How is it really done?

Let's talk about social engineering, what is it? How is it really done? The 30 minute presentation will go into commonly used techniques and give real life examples from people who carry out both remote social engineering exercises and on-site perimeter security reviews.
What information is too personal? Where do we draw the line? We will also discuss the pitfalls and potential HR issues that can occur as a result of these exercises.
The presentation will give you a good insight into the value of social engineering as well as hopefully open your eyes to some of the devious tactics employed.

Business

2

Sorry only for those attending

No

30 minutes

12

Robert McArdle
@bobmcardle

HTML5 - A Whole New Attack Vector

HTML5 opens up a wide and wonderful new world for Web Designers to explore - bringing fantastic new features that were previously only possible via Flash or horribly over-complicated Javascript. And HTML5 is not a future technology - chances are your favourite browser already has excellent support built in (unless you are still using IE)

In this talk we will look at HTML5 from an attackers view-point. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, awesome video support and the long overdue death of <div> - it also opens up a host of new opportunities for attackers.

We'll look at some of the troublesome new attacks that this new HTML5 standard introduces, how attackers can leverage these attacks to cause untold havoc on your machine, and how - with a little bit of help from some not so over-complicated Javascript - we can build Botnets in your Browser!

Any Geek

3

Can be filmed and released

Yes

30 minutes

13

Stephen Bonner
@stephenbonner

InfoSec and the Mayan Apocalypse

As we all know the Human Race is over on 21st Dec 2012 due to the end of the Mayan Calendar. How will future visitors from outer space view our infosec efforts from the films, music and books left behind? This talk takes extracts of popular media portraying hacking and defending computers and deconstructs them. You'll laugh, you might even cry and you'll definitely get chocolates thrown at you.

Any Geek

3

Sorry only for those attending

No

60 minutes

14

Abraham Aranguren
@7a_

Introducing OWTF

Summary: An introduction to the Offensive (Web, etc) Testing Framework (aka OWTF) including demos of the latest features developed until the time of the conference.

Talk Description:
Background:
The Offensive (Web, etc) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.

OWTF is a tool that tries to achieve a new level of efficiency and comprehensiveness by combining great standards (OWASP aligned, PTES in the to-do list), great tools, websites and knowledge in the public domain together with continuous reporting using an interactive report that allows the pen tester to analyse the information in a similar fashion to the thought process of a chess player.

OWTF intends to find an optimal balance between automation and human analysis so that the best of both worlds can be attained.

In this talk there will be a brief introduction to OWTF. This will be followed up with demos of the latest features up until the time of the conference (this is a fast moving project) to help pen testers get the most out ouf this tool and/or provide them with new ideas to improve their pen testing process.

This can be a talk, a workshop or a mix of both.

Techies, Any Geek

3

Can be filmed and released

Yes

60 minutes

15

Abraham Aranguren
@7a_

Legal and efficient web app testing without permission

Summary: An OWASP-focused walk-through on passive and semi passive techniques to assess Web app security and how those have been included into OWTF.

Description:
Background: The Offensive (Web, etc) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.

This talk will be a highly practical walk-through for the items in the OWASP Testing Guide that can be at least partially tested for security without permission and also how those tests have been incorporated into OWTF for efficient testing and verification. From a defensive perspective this talk may also be useful to learn how criminals may analyse our systems without us noticing.

The purpose of this talk is to show how to partially test a website for security, legally and responsibly, before even permission is given. This may be useful in a number of situations such as when short timeframes are given to test a web application or when the pentester is willing to go the extra mile to do as much work as possible in advance. By applying these techniques pen testers will really have the best chance to get in and will only have to use the test window for active testing and exploitation only (i.e. when permission is really needed).

The techniques described will be mapped to well-defined OWASP Testing Guide items. This talk will be highly practical and real examples from the field will be shown for most if not all techniques. The purpose of this talk is to show just how much can be done without almost touching a website in the hope of increasing awareness and perhaps provide some pen testers with new ideas or perspectives on how a web app pen test can be carried out in practice.

Techies, Business, Any Geek

3

Can be filmed and released

No

60 minutes

16

Abraham Aranguren
@7a_

Pentesting like a Grandmaster

Summary: A walk-through of the techniques chess players use, how they apply to pen testing and how they have been implemented into OWTF.

Background: The Offensive (Web, etc) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.

Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.

Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.

The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will be highly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.

Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after?. Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after this attending talk.

Techies, Any Geek

3

Can be filmed and released

No

60 minutes

17

Amol Sarwate
@amolsarwate

SCADA Security: Why is it so hard?

This talk will present technical security challenges faced by organizations that have SCADA, critical infrastructure or industrial control systems installations. It will provide examples of attacks and examples of security controls for the same. The talk will introduce an open-source tool to help identify and inventory SCADA systems.

The presentation will begin by introducing SCADA systems under the hood including RTU, IED, PLC, FEP, PCS, DCS, HMI, sensors, data historians and other SCADA components. The presenter will categories these components into distinct groups based on the functionality that each component provides. The presenter will review the security implications on each of these groups and identify where most of the threats lie. The presentation will take a packet level dive into SCADA protocols like MODBUS and DNP3 and study their security implications. The presentation will give example of attacks that can be carried out against each group and component. The presenter will release an updated version of an open-source tool to identify and inventory SCADA systems using the protocols discussed in this presentation. The presenter will then focus on real world examples of successful and not-so-successful implementations of security controls with SCADA systems. This will include examples of what some large organizations have done, and a discussion about why SCADA security cannot be deciphered just by tools or technical solution.  The presentation will conclude with guidance on how control system owners can start implementing additional measures to get to an acceptable security.

Attendees who are in charge of control system infrastructure will get insight on what worked and what did not for other organizations. Engineers who are in-charge of security for control systems will get a better technical insight of SCADA protocols and components and can use the open source tool that is introduced. Attendees who are new to control systems will get an excellent overview of security complexities of control systems.

Techies, Any Geek

4

Can be filmed and released

Yes

60 minutes

18

Chris Sumner
@TheSuggmeister

Determining Personality Traits & Privacy Concerns from Facebook Activity

This study explored the extent to which it is possible to predict personality traits and privacy concerns based on Facebook use.

This was done by comparing the 'Big Five' personality traits with Facebook usage, activities and language use. Results show that there are some significant correlations between an individual's personality type,their Facebook activity and their level of concern about privacy. However, the practical significance of these correlations is currently relatively low, although research is underway to improve predictability. This means that making meaningful conclusions about people or taking decisions that will affect their lives on the basis of Facebook activity may therefore be problematic and error prone for now. These findings support and extend previous research in online social networks by showing that Facebook activity can provide limited clues to an individual's personality. However, further research into social media use is critical to ensure that the practical and ethical implications of drawing conclusions about personal information embedded in social media sites are better understood.

This talk discusses online activity, personality types and privacy concerns in relation to a range of topics including marketing, pre-employment screening and susceptibility to crime such as phishing and confidence fraud.

Any Geek

2

Can be filmed and released

Yes

60 minutes

19

James Davus

Herding lolcats: tales from the incident response coalface

Keeping watch over one of the fastest, largest, busiest and most diverse networks in the UK is a difficult task. Millions of end-users with their own ideas of what the network is for, and all with hundreds of gigabits of bandwidth at their disposal. Balancing security and openness is a Sisyphean task.

In this talk I'll look at some of the tools we've developed to monitor the network and take a look at some of the more "interesting" incidents that have happened on our watch. I shall attempt to cover everything from netflow and perl, to misunderstandings and the deepest paranoia.

Techies, Any Geek

3

Sorry only for those attending

No

30 minutes

20

Stephen Bonner
@stephenbonner

Elegant Security

This talk highlights examples of the most elegant attacks and defenses in IT Security - those insights that leave you thinking for weeks 'That's clever' and 'I wish I'd thought of that'.

Each uses simple steps in unexpected ways that appear obvious in hindsight but changed/are changing the face of IT Security. There will be no brute force or flooding denial of service attacks here.

Some audience participation involved.

Techies

3

Can be filmed and released

No

30 minutes

21

Rory McCune
@raesene

Shadowboxing your way to secure applications

There's a lot of confusion in testing about what's the "best" way to assess the security of an application, should I do Black-Box? Should I do White-Box? What  automated Tools will and won't do for me?

Turns out that like everything in security the answer depends, but this talk will hopefully shed some light on where each approach works and fails and suggests a middle path that perhaps can give the best of both worlds.  This will be a hands on talk with real-world examples (dark god of demos permitting)

Techies, Any Geek

3

Can be filmed and released

No

30 minutes

22

Thom Langford
@tandtsec

An Anatomy of a Risk Assessment

A thorough risk assessment is an intimate process, akin to the dissection and analysis of key organs of the body. Each organ needs to perform its function in complete harmony with the others in order to fulfill its true function and potential. This presentation looks at the various organs and body parts of a risk assessment in a practical and down to earth manner.

This is not risk assessment by the numbers, or indeed how to tick boxes (please, go and buy a book for that!) but rather what are the tips and tricks that you can use to get through an assessment (or even an audit) from either side of the table. How can you get the most out of your auditor? How can you read between the lines of what a difficult client is saying to ensure you get the most accurate assessment of their environment? Learn of the various tools you have at your disposal that are not only free, but are in integral part of your anatomy!

And as you enter the risk afterlife, how can you be confident in the outcomes of the assessment in the first place?

Business

3

Can be filmed and released

Yes

60 minutes

23

Scott Cowie
@hamgammon

A Civilian's View of Security

Today's world is quite scary with ID theft, fraud and physical theft.

Has security industry forgotten the public? Their security education? Needs? Lifestyle?
I want to take a look at what the public think about security procedures and what happens when the genuine customer is locked out. Making you look though the eyes of the "Punter", will you be reminded of what it was like before you talked the security talk?

Everyday life will be looked at and broken down into things you take for granted with reasons why the public hate/like it, how things work and don't work.

Hopefully looking at these issues will help you "reconnect" with the public and take another look at that security policy...

Techies, Business, Any Geek

1

Can be filmed and released

Yes

60 minutes

24

Arron "Finux" Finnon
@f1nux

UPnP - The Useful plug and pwn protocol - revisited 

Universal Plug and Play protocol (UPnP) can be described as a set of networking protocols that allow a type of seamless discovery and communication between other UPnP devices.  Data sharing capabilities are just the beginning of UPnP's remit, in some cases UPnP devices can actually make configuration changes to one and other.  The aim is a type of hassle free configuration environment, aim to give its users that "just works" felling, much like the plug and play technology of the past.  However hassle free configuration can ultimately mean hassle free hacking. 

This talk is loosely based on a previous BSides talk and aims to give attendees an overall view of UPnP and some of the security issues faced by many devices today.  During 2011 and number of interesting issues were discovered.  The talk looks at how an attacker can deploy a series of incredibly simple yet effective attacks against a wide range of UPnP devices such as routers found in many homes today, and why those very routers are ill equipped to defend against them.  With one simple command it is possible to open an internal port to an external port without authentication or stamp within the routers access logs.  In some case it is even possible to disable internet connectivity.  Attacking the very fabric of UPnP's implementation to gain a very real presence on a network. 

Its easy to see why many technologically minded people argue turning this protocol off, however it is not always as simple as it would first appear.  Much functionality of very popular devices and applications would be lost, in addition for it not being the most user friendly process to be invented.  With concerns about this same technology in the future being used in smart homes the threat can only become bigger.

Techies, Business, Any Geek

2

Can be filmed and released

No

60 minutes

25

Arron "Finux" Finnon
@f1nux

"Tuning to a different key - introducing weaknesses into security devices"

When security devices such as NIDS/NIPS (Network Intrusion Detection/Prevention Systems) are developing their rules/signatures, exploit PoC's tend to be used to develop and test those rules. Sometimes there is lots of PoC code around for a single exploit. Not too much of leap of faith to suggest that those people developing those rules will stick to what they know, and obtain those PoC from the favourite place. What happens if an exploit from one PoC is very subtlety different from other ALL the other PoC's available? What happens if this subtly different PoC is more popular than the rest? What happens if the PoC is not a clear baseline of the threat? What happens if you introduce a "quirk" in to your NIDS analysis?
 
This talk looks at the situation where the choice of PoC for NIDS/NIPS signature could have massive and wide ranging implications. In lack of a better term, what happens if a security rule writer inadvertently codes a very subtle quirk into the rules. This can lead to a situation where the same exploit using a different PoC might well be sufficiently different from the rule writers sample as to evade detection. The reality of this is in play in the real world, and security devices have been tuned to a slightly different key. I intend to show an example of how security devices have been developed using a unclean sample and how an exploit's original PoC can pass NIDS detection.
 
The aim of the talk is to raise awareness into carefully verifying an exploit prior to developing rules, a practice that is clearly not happening.

Techies, Business, Any Geek

4

Can be filmed and released

Yes

60 minutes

26

Manish Saindane
@msaindane

IronWASP

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It has been designed keeping in mind the typical mindset of a penetration tester and to cater to the need for customisation during a penetration test. At the heart of the framework lies a powerful scripting environment and plugin framework powered by IronRuby and IronPython, that allows the tester to customize the framework completely. Some of the core features of the framework include:
- Writing custom scanners to exploit vulnerabilities such as SQL Injection, XSS, etc. using Active plugins.
- Parsing / Modifying responses to gather useful information or find security issues.
- Write plugins for handling serialization / deserialization of custom formats, be it binary or text (e.g. XML, SOAP, JSON, Java Serialized Objects, WCF Binary SOAP, etc.)
- Handling custom site behaviour while scanning for vulnerabilities and writing plugins for handling this. Such scenarios might include handling CSRF tokens, CAPTCHA's, dynamic login functionality, maintaining session etc.
- Finding DOM based XSS and similar issues using the built-in JavaScript static analysis engine.
- Custom API to handle HTTP requests/responses, HTML parsing, website crawling, encoding and decoding popular formats

Techies, Any Geek

3

Can be filmed and released

Yes

60 minutes

27

Rohyt Belani
@rohytbelani

Dissecting APT, Night Dragon, and Aurora

Targeted phishing attacks are now the mainstay of organized crime and espionage. This presentation will delve into the details of the anatomy of two such attacks - one against a major US financial institution and another targeted at US critical infrastructure. We will discuss the MO in detail. Following that we will discuss viable countermeasures to such attacks, and present metrics to prove what works and what doesn't.

Techies

3

Can be filmed and released

Yes

60 minutes

28

Sandro Gauci
@sandrogauci

Escalating privileges on common webapps

In this presentation we will look at how to escalate privileges on web applications. I will focus on Wordpress and other common web applications and how gaining access to a low privileged user or exploiting certain vulnerabilities, such as XSS or insecure Cross-domain policies, can lead to a full system compromise. I will give real examples based on experiences gained during pentest gigs and show how far one can get by hopping from one vulnerability to another. Some of these issues are by design so that solutions can be quite tricky, hence interesting. We will also discuss possible mitigation methods to address common scenarios.

Note: with this presentation I plan to release a repository with useful working sample code hoping to make your penetration test demonstrations a little bit more interesting than alert boxes or reference links to third party websites.

Techies

3

Can be filmed and released

No

30 minutes

29

Cliff O'Sullivan
@cliffsull

Can You Crack it - nope I will let someone else do it for me...

A talk based around how I socially engineered the answer to part one of the GCHQ hacker competition and received over 100k hits on my blog as a result .
Explains using screengrabs, charts and my talk-  how I had the answer to the 'Can You Crack it' part 1 within 8 hours.
I used no actual tools and the stunt was based totally on some of the methods available via @irongeek_adc / www.irongeek.com (Kudos)

Any Geek

1

Can be filmed and released

No

30 minutes

30

Steve Lord
@stevelord

Set Sail For Enterprise Fail

Have you ever seen an enterprise application deployment go completely sideways? This speaker has. At the risk of associating himself with project failure, he'll explore vulnerabilities in a number of enterprise products, provide examples of security fail in the real world and discuss strategies for avoiding them.

Techies, Business, Any Geek

2

Can be filmed and released

No

60 minutes

31

sergey shekyan
sshekyan

Are you ready for slow reading?

While developers and administrators are paying attention to handling slow HTTP requests without issues, another aspect is being overlooked – making sure clients of HTTP servers are accepting server data fast enough.
This workshop will present a tool that, along with other attacks, performs a Slow Read Application Layer DoS attack, that keeps the HTTP server busy by requesting relatively large resources and accepting them abnormally slowly by exploiting TCP Persist Timer (MS09-048, CVE-2008-4609, CVE-2009-1925, CVE-2009-1926). Although the possibility to prolong the TCP connection forever was first mentioned three years ago, most web servers are still not able to handle this issue. My approach, unlike others, doesn’t require any TCP packet crafting, and the tool I developed controls TCP bandwidth by manipulating socket options through the socket API.

The attack is easy to execute because a single machine is able to establish thousands of connections to a server and generate thousands of legitimate HTTP requests in a very short period of time using minimal bandwidth. Due to implementation differences among various HTTP servers, different attack vectors exist which will be discussed in this talk, along with demonstration and the best approaches to detect vulnerability to these attacks. Detection and mitigation techniques will also be discussed.

Any Geek

2

Can be filmed and released

Yes

30 minutes

32

Paul Marsh
@UHF_Satcom

satellite hacking

What sort of data can be received from the vast numbers of satellites in orbit around the Earth? What are the various types of satellite orbits, and what equipment is needed to start 'hacking' satellites. These questions, and more, will be answered in this talk which discusses satellite hacking techniques. Real life examples of traffic, data and audio communications received will be presented. We'll also take a critical look at a UK military satellite hacking incident which was widely reported in the press, and consider the commonly asked question - "can it be done?"

Techies, Any Geek

3

Sorry only for those attending

Yes

60 minutes

33

Vinayak Ram
@Dmitri

Lessons from the Trenches: Implementing and Achieving BS 25999 Certification  in a Bank

The number of companies getting certified against the BS 25999 is growing exponentially. Ensuring continuity of operations in one of the key risks that enterprises are dealing with this year. This has an increased importance with the Olympics being staged over the summer and the forecast of widespread disruptions.
In this talk, we describe our experience in implementation of a BCMS framework in a large sized Bank. Without going deep into the theory aspects, the talk is targeted towards BCM Managers and Implementer's who want a direct and honest viewpoint on what it takes to implement and achieve compliance and certification against the requirements of the BS 25999 standard.
The talk intends to provide practical and implementation specific information which may help BCM practioners improve and better align the BCM frameworks with the BS 25999 specifications in their respective organizations.

Techies, Business

3

Can be filmed and released

No

30 minutes

34

Mike Shema

Blind Fury: An Alternate Web App Fingerprinting Technique

Web app fingerprinting attempts to identify the type and version of JavaScript libraries and application frameworks installed on a web site. Accurate data provides clues to known vulnerabilities in the site's code and make blackbox testing more efficient by providing useful feedback.

Traditional approaches to fingerprinting web apps rely on brute force enumeration of pages, scraping content with regexes, or a hybrid of the two. The has drawbacks: Page enumeration is bandwidth-intensive; its accuracy drops when "install" files are removed or pages are minified; regexes are prone to incorrect matches or are defeated by trivial site changes (such as removing <meta> content). These techniques tend to identify the presence of pages on a site, but do not indicate whether the files are actually used by the application.

Blind Fury uses a JavaScript-based approach that does not rely on page enumeration or regexes. Yet it is still able to identify several popular frameworks. In fact, the technique can be extended to generate fingerprints for almost any type of web site. It can create and analyze fingerprints from a completely blackbox perspective; it does not require prior knowledge of a target's directory structure.

Techies, Any Geek

3

Can be filmed and released

No

30 minutes

35

David Stubley
@DavidStubley

Cell Injection: Attacking end users through the application.    

We’re all familiar with input and output validation and why it’s important for the overall security of web applications, but are your web app tests focusing solely on HTML and missing the other ways in which your customers may render data?    

Through a live demo this presentation will show you a common, real world example of some good old fashioned ownage and abuse of trust. Resulting in full compromise of an internal host.

Any Geek

2

Can be filmed and released

No

30 minutes

36

Jingwei Tan
Emil Tan @EmilJW

Virus Propagation via Social Engineering

The presentation explores the recent use of non-technical exploits on the human operating system by cyber criminals. I will be discussing three main social engineering techniques used to deceive potential victims to download a piece of malware by influencing their cognitive behaviour - deceit by curiosity, deceit by fear and deceit by trust.

Business

1

Can be filmed and released

No

30 minutes

37

Daniel Nathan Williams
@Terminal15

The Illusion Of Security - A World Into Lock Picking!

Locks, locks and more locks! Everywhere you go you can see locks around the place to try and keep you out of where you are not suppose to go and keep the company secrets hidden. The question is, do they actually work? This presentation is going to show you how the illusion of locks is there to give a false sense of security and how easily they can be broken, taken and compromised to let you in to any place you can think of! Not only that but we go in depth on how human error can effect security and why insufficient staff severely compromise the security of locks. Also we'll pick locks for you...

Techies, Business, Any Geek

1

Can be filmed and released

No

30 minutes

38

Davi Ottenheimer
@daviottenheimer

vSphere5 hardening and assessment automation

This presentation describes the process of writing the latest benchmark hardening and assessment methods based on the Security Content Automation Protocol (SCAP). It reviews the latest prose and syntax of the XCCDF for VMware vSphere 5. Attendees will see how to develop their own fast, detailed assessments of system conformance to hardening benchmarks and regulatory compliance.

Techies

5

Can be filmed and released

No

60 minutes

39

Ian Moyse
@Imoyse

Security In a World SaaS Applications

Cloud is the most hyped computing term in years and every vendor is marketing cloud as the solution to all your IT woes.  There are a variety of cloud services from Public to Private, Saas through PaaS and IaaS and with all come new questions, benefits and risks.  Public SaaS has been one of the fastest adopted and is certainly the most digestable for the majority of businesses. Much is spoken of the pros, but what of the flipside and the balanced view of what else do you need to be aware of and consider as we all increasly use cloud applications.  Here in a short, sharp 30 minute session, the speaker who has been involved with 3 SaaS vendor solutions over the past 8 years gives a warts and all guidance view of what you need to consider. ask and think about when implementing and considering SaaS solutions to ensure you enter with your eyes open.

Techies, Business, Any Geek

3

Can be filmed and released

Yes

30 minutes

40

Ivan Ristic
@ivanristic

SSL and PKI: The Pillars of Broken Security

Recent attacks on browsers and certificate authorities for SSL have shown how fragile these systems are, yet we all depend on them while using the Internet on daily basis. This talk will explore the implementation flaws in the SSL protocol and the browsers that support it. The speakers will showcase extensive research collected from millions of websites that reveal the state of SSL and Browser Security on the Internet. The session will then explore the mitigation options for the problems we are experiencing today, and provide a framework in which we can solve future SSL security issues.

Techies, Any Geek

3

Can be filmed and released

Yes

60 minutes

41

Colin McLean
@Doctor_Hacker

H@cking Tayles of the first degree – Student Centred Hacking.

In 2006, “Abertay” a small University in North East Scotland released the world’s first undergraduate degree in Ethical Hacking. This is the story of the how’s and what’s of the course and what happens when you put a bunch of geeks together in a class-room.

It is a story of students talking at conferences, graduates walking in to good jobs and students discovering flaws. It is also a story of famous internet trolls, egos, alcohol, a pregnancy epidemic and volatile students.

The serious side concentrates on the need for such degrees, the lessons learned, curriculum development, teaching approaches and proposed ingredients for success in an Ethical Hacking degree.

Any Geek

1

Can be filmed and released

No

30 minutes

42

Dave Hartley
@nmonkee

SAP Slapping (a pentesters guide)

The talk aims to provide the audience with just enough information to go from zer0 to her0 in as short a time as is possible when encountering SAP systems during engagements -­‐ without serious fail! This talk will not provide a deep understanding of SAP, nor will it provide you with the abilities to perform in depth, effective and comprehensive security assessments of SAP landscapes.
Might be some lulz though ;)

 

Techies, Any Geek

2

Can be filmed and released

No

60 minutes

43

Ollie Whitehouse
@RecxLtd

Finding the weak link in Windows binaries

Modern Microsoft Windows applications can be a chore when finding where to spend one's effort with regard to finding vulnerabilities to exploit due to the defensive technologies available. This talk will discuss how to identify binaries that are increase the likelihood of of a return on investment or represent a general high-level risk due to missing defences. Alternatively for those not in the exploitation game this talk will show how to identify findings that are of value to independent software vendors or end user customers who utilize binary only products yet want to gain a base level of assurance that SDLC best practices are adhered to without source code of symbols.

Techies

4

Sorry only for those attending

Yes

60 minutes

44

Glyn Wintle & Sheila Thomson
@glynwintle @sheilaellen

The Evil Overlord Guide to Security

A humorous Top 10 of security vulnerabilities including practical approaches for addressing them.  Inspired by Peter's Evil Overlord list (http://www.eviloverlord.com/lists/overlord.html).

Techies, Business, Any Geek

1

Can be filmed and released

Yes

60 minutes

45

Sasha Zivojinovic
@Mook

United States Of Browser Insecurity

This talk will cover the state of browser enforced security models in 2012: Including Same-Origin policy derivatives: How they should work, where they fail and an example of how to bypass them. Additional content will include bypassing Cross-Site scripting filters in Chrome and abusing mime types for fun and profit.

Techies, Any Geek

3

Sorry only for those attending

Yes

30 minutes

46

Marc Wickenden
@marcwickenden

Twitter spam: The life of a bot

The rise of Twitter and URL shortening websites has brought with it a daily deluge of unsolicited tweets from spam bots. Through automated analysis we’ve been researching what these tweets are all about, uncovering the websites they are linking to and identifying the traits and trends which make up the life of the average bot.

Techies, Business, Any Geek

2

Can be filmed and released

No

30 minutes

47

Marc Wickenden
@marcwickenden

ssh-agent: Abusing the trust

SSH with public key authentication is seen as a robust and secure solution and as security professionals one we all recommend. But is this approach as secure as we think?

Despite the warnings, many users remain oblivious to the dangers of ssh-agent forwarding and how sever administrators can abuse this trust to use your keys against you. In this talk we demonstrate new ways to weaponise the process of ssh-agent based attacks and how to defend yourself.

Techies, Any Geek

3

Can be filmed and released

No

30 minutes

48

Erik Peterson
@silvexis

Building your own Zombie Horde - Dynamic Web Scanning at Massive Scale

In the 12 years since automated dynamic application scanning tools have been available, DAST has gone from something a few in the know were doing to something everyone is doing, but are we really all scanning our web applications? The number of hacks would suggest either the tools are broken or we really are not scanning enough. To understand what was really going on I met with dozens of fortune 100 security and learned that on average only the top 1% of web applications at a fortune 100 company are being aggressively tested both manually and using automated tools but the rest are often going without any security testing at all. Reasons given were that it was just too cumbersome of a task, scanning that number of sites would be impossible and at the current pace would take years to assess everything.

Clearly a better solution is needed.
In my talk I'll discuss the modern enterprise challenges that stand in the way of assessing thousands of web applications rapidly in parallel, the trade offs that have to be made as well as those that don't and why you have no excuse to be scanning everything. I'll detail the cloud computing platforms I researched and choose and the key things to consider when attempting to do anything at scale. Finally I will review the results of a project that started with over 30,000 hosts and ultimately ended with a fully automated assessment of almost 3000 sites in less than 2 weeks time.

Any Geek

3

Can be filmed and released

Yes

60 minutes

49

Rorie Hood
@1337hound

The inherent issues in interpreted  languages

Interpretation is a modern, common method of source code compilation. It allows interpreted languages to utilise a "write once, run anywhere" philosophy. Instead of compiling source code into an executable, it is compiled into an intermediate language (IL). In Java this is known as Java Bytes, though a similar IL is used in other languages such as Python, PHP, or the .net languages. This IL will then be interpreted at runtime by the langague's runtime environment that will convert the IL code into architecture specific machine code that the processor wil understand.
The issue here is that we have to trust the runtime environment. It handles the compilation of source code into IL code. And then interprets the IL code into machine code during runtime. The realisim is that we have no idea what the runtime environment is doing at any giving time. Due to the fact that we didn't write it, it's reasonable to say that we really have very little idea of what it's doing, except at the highest level. But what if the runtime envionment has been attacked; manipulated in subtle ways? Would you even notice? Even if the runtime environment has methods to check its own authenticity, can you really trust that those methods haven't been altered? By extension, can you really trust a runtime environment to generate an executable that is an exact derivative of your source code? This talk looks into manipluation of the runtime environment, and how subtle changes can be used to infect any byte code interpreted by the runtime environment.

Any Geek

3

Can be filmed and released

No

30 minutes

50

Darren Fuller
@Fully

I know what you scanned last summer

In May 2010 a "default" email address used by a  popular web application vulnerability scanner was found to be using a non-existent .com domain. This domain name was registered to see if any email or web traffic would be sent by users of the scanner.  The result of nearly two years of email bounced to this "sinkhole" address is 150,000 emails totalling nearly 8GB of data!

This 30 minute presentation will give an overview of the challenges of accessing and quantifying this data along with a breakdown of interesting facts we can glean from this.  We will discuss the standards of password policies as well as the implications of thinking that the site you're testing is "private" when your scanner is bouncing usernames and passwords from the registration form to an unknown destination. 

You may trust your vendor but this gives an interesting insite in to what can go wrong.

Any Geek

2

Can be filmed and released

No

30 minutes

51

Chris John Riley
@chrisjohnriley

Bypassing end-point protection using a ball of string and some bubblegum

I'm sure we've all day it... that popup on a box that just won't go away. The only thing between you and a meterpreter shell. End-point protection is becoming ever more popular, and sometimes nothing you do with Metasploit will quite do the trick. This talk will cover ongoing research I'm conducting into bypassing end-point protection systems (AV, HIDS, HIPS, ...) using a mixture of shellcode injection and Python code held together with little bits of string and some bubblegum I found under my chair!

Python snobs need not attend ;)

Techies

3

Can be filmed and released

No

30 minutes

52

Manuel Leithner and Christian Krieg

Antiforensics extravaganza - wreck ALL the data!

Welcome to Totallynotenglistan, which recently got rid of that outdated view that you have any expectation of privacy for your electronic storage media. Got it encrypted? No problem, hand over the key or be thrown in jail. After all, you're not incriminating yourself, only giving them the key to your virtual house. And since all communists and hippies must be incarcerated, that copy of the manifesto might just pave your way up shift creek. Unless you don't have it anymore. And we can help with that.
In a double feature starring an electrical engineer and a guy who really hates forensics, we'll guide you through the most effective, efficient and entertaining ways to physically and logically destroy or hide your equipment and data alike. From the hollywoodesque, highly amusing and probably impractical to the quick, stealthy and efficient, we'll document our way towards broken USB keys, detection-resistant encrypted ex-filesystems and freakin' explosions so you don't have to take the risk.
Warning: Might not deter actual skilled forensic investigators. But if you're hiding stuff from police, border guards or your mom, that should be alright.

Any Geek

3

Sorry only for those attending

No

60 minutes

53

Mike Auty & Zak Maples

MIFARE: Real World Cookies

The weaknesses in MiFare are well documented and have been widely known for a number of years. Perhaps what is less well known are the specifics about some of the applications that are built upon these technologies and the way in which we can go about testing them. We have found through analysing a number of real world implementations that smart card systems are similar to web applications, they can be implemented really badly or implemented properly.

In this talk we will give an introduction to MiFare for those not familiar and give an outline of the key weaknesses in the crypto contained in MiFare cards. We will then discuss a particular case study, run through the weaknesses in this particular implementation and the ways in which they can be leveraged to exploit the system. We will conclude by talking about the impact that NFC enabled mobile phones have on the security of these smart card systems.

Techies, Any Geek

3

Can be filmed and released

Yes

60 minutes

54

Alan Calder

Making Sense of Cyber Threats - Management Overview

News reports regularly describe cyber attacks and the UK government has recently published a new cyber security strategy. Directors are told that cyber risk should be on the board agenda.

But what are cyber threats, really? What is the difference between an APT (Advanced Persistent Threat) and a cyber threat?  How real is the risk of cyber crime? How do confidentiality, compliance and commercial issues overlap in organisational responses to cyber threats? And what does a joined-up solution to the UK’s No 1 security threat look like?

We will describe the nature of cyber threats, differentiating between APTs and other cyber threats. He will analyse the objectives of different attackers, and look at how compliance needs – DPA, PCI etc – should be taken into account. He will look at risks in fixed and mobile perimeters, at the inward and outward bound channels, at Cloud services and take account of OWASP and SANS Top Security Risks.

In the context of organisational risk appetite, he will then describe the range of possible solutions – from management systems based on ISO27001 through security configuration, encryption, website security and penetration testing to HR issues including staff termination, awareness training and social engineering.

Finally, he will deal with the role of incident response, cyber resilience and digital forensics.

This carefully structured presentation will ensure that today’s IT managers have a coherent overview and understanding of the nature of cyber threats and the components of an effective response to them.

Business

3

Sorry only for those attending

No

30 minutes

55

Brian Honan
@brianhonan

Hacking Senior Management - Getting Your Message Across

Why is it that despite regular news headlines about security breach after security breach, senior management seem to still do not appreciate what it takes to secure their own data? Despite having security professionals tell them about the weaknesses of their systems, management still seem to ignore the problem.

But is that true? Do management ifnore the problem? Or is it simply that we are not communicating it to them in ways they understand and appreciate?

This talk will highlight where and how we as security professionals are failing to deliver recommendations to management so they understand the risks.  This talk will look at the language of management and how to tell them in ways they understand issues such as the impact of an SQLi vulnerability,  why FTP is insecure and why they need to invest in security.

The best hackers understand how systems work so they can make those systems better and more secure.  This talk will teach you how to hack management so they can make organisations more secure.

Techies, Business

2

Can be filmed and released

No

30 minutes

56

Brian Honan
@brianhonan

May The Force be With You - Infosec Lessons from Star Wars

This talk will take a light hearted look at the Star Wars movies and highlight lessons from thm that we can apply to infosec.  Did Hans Solo shoot first or is it a good example a pro-active incident response? Shouldn't Princess Leia have encrypted the message she stored in R2D2?
These and other elements of the movies will be examined and show that even in a galaxy far far away infosec is still something that needs attention

Techies, Business

2

Can be filmed and released

No

30 minutes

57

Jelle Niemantsverdriet
@jelle_n

Check and double check

This talk will focus on the simple concept of checklists - why they work, how they work and why I think we should use them more in Information Security. Of course not for a 'checkbox-audit' where everything is checked but nothing is secure, but as a powerful tool to overcome human errors and cognitive biases that are associated with human operators in a complex environment. The talk will draw on experience of human errors in information security based on forensic investigations but will also touch on other subjects and industries such as aviation, psychology and human interface design.

Business, Any Geek

2

Can be filmed and released

No

30 minutes