The Rookie Track

A huge thank you to the rookies who have submitted a talk and their mentors. Together they are helping shape our community.

Check out the rookie tips page for some pointers on your presentation here.

10:00 - Why Pentesting Sucks by Cory Marchand

Abstract: "Typical pen tests simply aim to get root, typical recipients of Pentest results could care less about root. This talk would be focused on why "Red Team" type of assessments are more effective and can improve defenses on a whole by providing to the decision makers a "so what" outcome."

10:15 - Blinking Hell - Data Extraction Through Keyboard Lock States by Matthew Phillips & Richard Hicks

Abstract: "Using a small, cheap and freely available programmable usb device it is possible to export data from a computer system without being detected as a typical usb storage device. We have developed a PoC that is demonstrable, and our current research is now focused on defeating endpoint security solutions that track vendor and device ids of usb devices."

10:30 - External Assessments by Owen Bellis

Abstract: "A presentation on steps and processes undertaken when performing assessments on companies public facing services on the internet. The talk will focus on issues commonly found when working with companies working towards PCI compliance or issues and procedures on standard external penetration tests.. or both.. content is not finalised."

10:45 - Talking in a foreign land by Anne Wood

Abstract: "Communication and delivering the right message is so important to get things done. One of the biggest factors impacting information security in the workplace is the lack of good communication practices between info sec professionals - we are a jargon rich, highly technical community - and 'the business'. This talk looks at how we can work to improve the way we communicate with our businesses (for internal info sec/ IT sec people) and customers (for the consultant group) in a way that they can understand. Sounds a bit dry maybe - but you need to translate between business groups and it's often something we forget to do. This would be a non-technical talk."

11:00 - Approaching Cipher Puzzles: Fun for all the snzvyl by Channon Powell

Abstract: "Overview of tackling cipher puzzle games. How to find the obviously hidden and where to go from there. With examples."

11:15 - Continuous security integration by Artjom Vassiljev

Abstract: "I'm a backend developer creating server code for games and websites. I've setup a jenkins on an old hardware and added sqlmap and wfuzz. I'll be adding more tools to check for xss and static code analysis.

So the talk is about my experience adding these tools to the CI process."

11:45 - Cyber Warfare Operations, Impact Assessments, Delphi Oracles, predictions & other funky stuff... (working title) by Konstantinia Charitoudi

Abstract: "A story about cyber warfare operations, the ability to perform impact assessment on them and the attempt to make predictions about attacks."

12:00 - Real-Time Static Analysis in Eclipse by Diarmaid McManus

Abstract: "Security code reviews often fail because of preventable bugs like a printStackTrace being left in production code. Failure to notice these early in the development lifecycle can increase the time, effort and cost in fixing these issues. Static analysis can identify these issues within the IDE, showing developers where vulnerabilities may occur in code. FindBugs and CodePro Tools are two popular Eclipse plugins that perform static analysis, but they don’t have many security rules available, and also have to be manually launched against the code.

I've been developing a plugin for Eclipse which provides real-time static analysis based on a set of security rules. It works in the background, silently analysing the code developers are working on at that time until it finds a potential issue which it then marks for the developer to examine.

This presentation will give a brief overview of static analysis methods, how these are used within the plugin and other tools to identify potential vulnerabilities, and how using this tool can help developers write more secure code. A quick demonstration of the plugin will be shown."

12:15 - ICMP - The proxy your admin hates to block by Ryan Ward

Abstract: "ICMP is the fundamental protocol in network diagnostics. During my second year at university I discovered an old article in Phrack magazine that used this protocol to break out of restricted networks. Researchers found that through crafting specific ICMP packets they could create 2-way traffic. The concept preys on the inconvenience caused by blocking ICMP.

This presentation aims to discus the simplicities and malicious applications of an ICMP Tunnel."

12:30 - Web Application Vulnerabilities overview by Jamie Shaw

Abstract: "The talk will cover a basic overview of web application vulnerabilities such as XSS, SQLi, LFI/RFI and a few more."

13:00 - Exploiting Windows Deployment Services by Ben Campbell

Abstract: "

PXEBoot/WDS & Unattend Files overview
Quick demo sniffing credentials
Problems with VM approach
Putting together a tool to resolve this
Quick tool demo.
Unexpected outcomes"

14:30 - Incident response trends by Justin Greenwood Delgado

Abstract: "Looking at the current incident response trends within the corporate landscape. Giving more insight into the types of attacks that we are currently seeing from the public domain and how we try to combat these issues, from a technical point of view."

14:45 - Scanning without nmap by Isabel Forkin

Abstract: "Using ncat and various loops and commands to achieve something similar (albeit much slower!) to an nmap scan from a command line. This is for the times you get onto a box and would like to explore your surroundings without installing new software or manually probing the network. Will cover ping scan and tcp port scan. Will cover both Windows and Linux."

15:00 - Android Exploits by Damien King

Abstract: "Demonstrating different ways the android system can be remotely controlled. Including: xss with beef, browser exploit resulting in shell access and sms bot malware - enabling remote control of an infected device from any phone via sms."

15:15 - Security Awareness: Making Your Staff the STRONGEST link by Mo Amin

Abstract: "I still don't get why we call the people that we work with, i.e. "users" the weakest links. When in all honesty we don't actually engage with them as we should, to tell them what we are trying to protect them from and quite frankly it always appears that awareness is just a tick box exercise. Security is a process, so should awareness be.

So er I think what I'm trying to present is something along the lines of why and how infosec folk should help to educate users."

15:30 - Economics of Security by Leron Zinatullin

Abstract: "To be confirmed."

16:00 - NOSQL & Big Data - A way to lose even more stuff by Gavin Holt

Abstract: "With the increasing popularity of NOSQL and other Big Data systems, the number of exploits and vulns being found in these systems is increasing. Combined with the lack of good practice, this creates a very interesting and potentially costly attack platform.
This talk will look at current NOSQL Attack trends and the mitigations developers and DBAs can take"

16:15 - The upside-down-ternet by Gordon Gray

Abstract: "Any skiddie with a copy of backtrack can break into a badly secured WiFi network. This talk examines some offensive tricks that a LAN admin could use to teach them that it's not such a good idea."

16:45 - AppSec: Where the Human Wins by Dennis Antunes

Abstract: "Scanners have arguable gotten very good at finding most injection-based flaws, but the real wins are in uncovering the flaws a scanner can hardly ever highlight: flaws in business logic, privilege escalation, authentication weaknesses, etc. By letting the scanners do their jobs and really focusing your time in the right areas, you win while giving the customer a much more accurate picture of their application's security posture."

17:00 - Snapshots of the Brazilian Cybercrime Landscape by Berta Papp

Abstract: "Thoughts on how cyber criminals operate in Brazil and respective differences from Europe, the main features of cyberfraud, identity theft, collateral damage from nation-state built malware and hacktivism operations in this hostile and superficially regulated environment."

17:15 - Brute-Forcing Authentication by Lewis Arden

Abstract: "Showing steps and techniques using Burp Suite and it's internal workings by attacking web authentication using a Brute-Force approach."