This is what BSides is all about, many submitted, and YOU selected the lucky few
Roll up, roll up, get ready to be amazed as the freaks (I mean experts) of InfoSec rock your world
Insecure Out of the box by Robert Miller Biography: Robert has worked for MWR Infosecurity since 2011, with a strong focus on Android device and application security. He co-runs MWR's Android Secure Development training course, and works with major application developers and device manufacturers in producing security critical products and services. Robert has presented in both private corporate and public events in everything from teaching members of the public how to stay safe from malware, through to demonstrating the latest classes of mobile vulnerabilities and exploits to teams of developers and pen-testers. Abstract: "Insecure out of the box: Leveraging Android manufacturer's mistakes to attack corporate networks. We have long known that Android can be affected by malware. Most users are now aware that they need to take care about what they install on their phones. But what about a brand new device that’s fresh out of the box? We will show that for two flagship Android devices, they are not as secure as people might suppose. Android has been through a security revolution in the last year in response to an avalanche of malware designed to take advantage of its permissive behaviour. We will talk through the latest advances in what is by far the world quickest selling mobile platform. We will then look at how the race for new features and functionality is undermining security in the latest Android devices. Finally we will look at how attackers can use these weaknesses to go beyond the realm of a person’s personal device and into their employer’s corporate network.
Breaking Binary Protocols and Bad Crypto by Graham Sutherland Biography: Graham Sutherland is a penetration tester working for Portcullis Computer Security in London. Before making the career move to security, he spent several years paying his dues as a developer. He is primarily self-taught and spent the best part of a decade doing independent security research, primarily focusing on Windows applications, embedded systems, binary network protocols, and cryptography. Abstract: "This talk is a running account of a few weeks spent attacking and reverse-engineering a widely deployed network device. I went from having little knowledge of the system, to producing some powerful and interesting exploits. The focus of this talk is more towards how the issues were found, rather than the issues themselves. To that end, a generic set of hints and tips will be proposed for analysing and attacking binary protocols, including a method for classifying and identifying unknown cryptography used on data. Currently the issues that will be presented in this talk are being worked on with the vendor. It is hoped that by the time that BSidesLondon takes place we will be in a position to openly talk about specifics of the issues in question and the fixes that have been implemented. If this is not the case then the talk will not disclose the specific product or vendor, but instead cover the techniques and interesting finds in a manner that is in line with our co-ordinated disclosure programme.
Poor Man's Static Analysis by Jon Butler (not the singer) Biography: Jon is Head of Research for MWR in the UK. He spends his time breaking and fixing the software and hardware that underpins most of the shiny things we've come to depend on, like browsers, payment terminals and smart phones. In a past life, he was a keen binary reverse engineer, but lately has come to enjoy having access to the source code. Abstract: "When you're hunting for bugs, let's face it - grepping for strcpy just doesn't cut it anymore. Instead of waiting for unsafe memory management functions to come back into fashion like moustaches or mustard coloured corduroys, I decided to check in with ""the future"", and see what it had to offer me. What I found was a sea of similarly puzzled individuals, bizarre terminology, and a number of code snippets that would only compile on specific, different versions of libraries. So I set about piecing together what I could, and ended up producing a working tool in a fairly short period of time. This talk shows what can be achieved if you want to build static analysis tools, and you don't want to spend a load of money or upload all your precious code to ""the cloud"". I will be making sense of the complex terminology surrounding this field, and detailing my struggles and conquests building a fast, flexible, and most importantly usable static analysis tool, all for free. If you're interested, but you wouldn't know a TranslationUnit from a bar of soap, this is the talk for you!
LOL (Layers On Layers) - bypassing endpoint security for fun and profit by Rafal Wojtczuk Biography: "Rafal Wojtczuk has over 15 years of experience with computer security. Specializing primarily in kernel and virtualization security, over the years he has disclosed many security vulnerabilities in popular operating system kernels and virtualization software. He is also well known for his articles on advanced exploitation techniques, including novel methods for exploiting buffer overflows in partially randomized address space environments. Recently he was researching advanced Intel security-related technologie,particularly TXT and VTd. He is also the author of libnids, a low-level packet reassembly library. He holds a Master's Degree in Computer Science from University of Warsaw. Abstract: Over the past many years, there've been a plethora of security solutions available for Windows-based endpoints; many users and administrators have difficulty in assessing their strengths and weaknesses. Interestingly, many of these solutions are basically helpless against kernelmode malicious code. Each kernel patch/0day creates a hole for organizations that goes unnoticed by most. In this talk, we will take the recent public exploit for EPATHOBJ Windows kernel vulnerability and show that with some tweaks, we can use it to bypass application sandboxes, AV, HIPS, rootkit detectors, EMET and SMEP - even if these solutions are stacked one upon other. We simply keep on tweaking the exploit until we bypass _every security software_ that you would expect on a corporate user machine. This highlights the fact that ""defense in depth"" based on simultaneous deployment of multiple solutions sharing the same weakness is not satisfactory; we postulate the need for defensive methods that are immune to kernelmode exploits, and discuss the possible implementations. The issue is far from theoretical - the modern malware (e.g. TDL4) is already using this particular EPATHOBJ exploit to gain privileges. Also, the Windows kernel vulnerabilities are frequent, and this is not going to change anytime soon - we have to live with them and be able to defend against them.
Defensive Security Research is Sexy Too (& Real Sign of Skill) by Ollie Whitehouse Biography: Ollie is a middle manager, did some stuff he thought was cool back in the day and generally maintains an unhealthy compulsion for what is now known as cyber security. Having worked for consultancies, a security product firm and a major mobile device OEM he has stories to tell for any occasion (where any is security related). Abstract: This brief (30 to 45 minutes) presentation will discuss why security research shouldn't always be about the root. Firstly we'll look at the some of the goals of applied defensive research and basically why it is so damn interesting. We'll show how it applies from the lowest level OS internals through to the highest level hipster paradise. The presentation will then at look at some previous problems and the types of research that had to occur in order to come up with applied solution. Finally Ollie will zoom through some problems that there exist either only partial solutions for, deserve more focus or current solutions are sub par to get your creative juices flowing..
Finux's Historical Tour Of IDS Evasion, Insertions, and Other Oddities by Aaron Finnon Biography: Arron ""finux"" Finnon has been involved in security research for a over 7 years. Arron has discussed a wide range of security related topics at a number of Security/Hacking conferences in both the UK and internationally, as well as producing over 100 security related podcasts. Interviewing countless security professionals as part of the Finux Tech Weekly podcast show. During Arron’s time at The University of Abertay Dundee he was also awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software for his work whilst president of The UAD Linux Society. Arron now spends his time between consulting as well as research for Alba13 Research Labs, a company which he founded. Abstract: Roll up, Roll up, my Lords, Ladies and Gentleman, come see the bizarre and wondrous marvels that the Cirque de Vendeurs Sécurité has to offer. Tales of miracle machines that can see into the future and tell their masters of all the dangers they face. Devices so wise that they can see the very threats of tyrants and evil doers before they've even been thought of. Contraptions that possess a mystical sixth sense that can see every footstep and action a would be assailant takes before any deadly blow is delivered. These miracle machines that give defenders a suit of armour that mean the wearer needs no warrior skills in defending their castles. Come see for yourself, and purchase one of the miracle wondrous machines! Although the above sounds ludicrous and out of place, it isn't that far fetched from a lot of the literature produced by Network Intrusion Prevention/Detection System vendors. This talk looks at the very long and fruitful history the world of network detection systems has to offer (you'll be surprised they're nearly 4 decades old). With a overview of just some of the failings these systems have had over the years, and how these failures shaped their development. At places this talk will be cynical and it won't win any friends from vendors, but attendees will be given enough background information to understand why detection systems like IDS/IPS can work, but why they're set to fail all at the same time. Poor testing and the general acceptance by nearly everyone within the security industry that these systems can't deliver is only the beginning of their history of fail. I intend to discuss why certain evasion techniques worked, and why they will continue to work until we understand the inherent problems. Consider this talk a historical journey with one eye fixed on the future.
Privacy: State of the (performance) Art. by Stephan Bonner Biography: Stephen Bonner is a Partner in the Cyber team at KPMG where he leads a team focused on Financial Services. Before KPMG he was Group Head of Information Risk Management at Barclays. He was inducted into the InfoSec “Hall of Fame” in 2010 and was number 1 on the SC/ISC2 ‘Most Influential 2010’ list. He ran the London Marathon in 2011, raising over £15k for Whitehat/Childline. This year, he is training to climb Mount Kilimanjaro in aid of Shelter. Abstract: Privacy is a basic human right; our democracy has the secret ballot at its very foundation. This critical right is at risk and is being infringed by governments and big business. How can you protect yourself in the electronic and physical world? How practical are the current defences? Can you live a normal life and retain the dignity of being free from surveillance? (Some of the tools and techniques may also be useful during the singularity/robot uprising but are presented for information only, any use may be subject to local legal restrictions and Stephen, for one, will not be held responsible should you alienate our new computer overlords.) [Presentation may include bright flashing lights, bad 70's haircuts and the kind of critique of current GCHQ/NSA policy that puts DV clearance at risk.]"
A Day In The Life (Of A Security Researcher) by Craig Young Biography: Craig Young is a Computer Security Researcher with Tripwire's Vulnerability and Exposures Research Team (VERT) who has published numerous CVE in his career and has been honored (Q1-Q3 2013) for his role in disclosing vulnerabilities in the Google eco-system. Craig is one of the most externally active VERT researchers – he has given talks at BSides SF 2013 and 2014 and DEFCON 21 on vulnerabilities he discovered in Google authentication systems. Craig has also identified vulnerabilities in various products and open source software projects, working with them to understand and resolve security problems. Abstract: Ever wonder how to find vulnerabilities? In 2013, I averaged 4-6 CVE assignments each month and in this presentation I will go over general tips and tricks I have found most effective at locating unknown vulnerabilities. Vulnerabilities explored will include web vulnerabilities (XS*, command-injection, SQLi, etc) and C/C++ application vulnerabilities (memory corruption, logic errors, etc). To demonstrate the effectiveness of these techniques, I will provide examples vulnerabilities along with the path which led me to finding them without the use of commercial analysis tools. I will also discuss some of my experiences working with vendors and developers to harden their products.
Tor: Attacks and Countermeasures by Dr Gareth Owen Biography: He lets his words speak for him (I'm making this up because it was empty..) Abstract: Tor is an anonymisation network which allows users to browse the internet without their true IP address being identified. Tor also allows those in countries who censor the internet to bypass that censorship both by allowing users to access censored sites and to host websites which would otherwise land them in jail if it were possible to trace them. Initially, I will talk about how Tor works explaining the infrastructure and high-level protocol. I will also introduce Tor Hidden Services, untraceable websites, and how this service is provided within the network. Briefly, I then touch on the Silk Road and Freedom hosting hidden sites. Secondly, I will talk about I will explain how countries such as China and Iran have attempted to block Tor and what steps have been taken to minimise this. I will also explain attacks against the Tor users and network infrastructure that have been developed in academia (and the community) allowingwith defences that can be deployed to minimise the risks. Finally, I will cover how the FBI took down Silk Road and delivered an exploit that was able to deanonymise visitors to Tor hidden services – covering the Firefox exploit and shellcode.
Honeywords: Detectable Password Theft by Gavin Holt Biography: Long haired Scottish Hacker, Developer and Security Enthusiast on a mission to educate developers about best practice, the importance of not trusting users and of writing awesome, efficient and secure code. Student at the University of Abertay Dundee and Vice President of the Abertay Ethical Hacking Society. Loves all things Web Apps and Big Data. Abstract: Password theft is an ever increasing problem. One of the challenges of password theft is detecting it. A possible solution to this problem is the use of “Honeywords”. Honeywords would act in a similar way to a Honeypot on a network, allowing password thefts to be detected by offering purposely seeded “fake” passwords and watching for their usage in a system. Should one of these passwords be used, the system can flag this for investigation or possibly some automated action to mitigate immediate risk. This talk examines the implementation of Honeywords, the effectiveness of it as a solution and how the concept can be extended to prevent password dumps being used across services.
Top 10 Epic Fails in Identity by Paul Simmonds Biography: Paul is the CEO of the Global Identity Foundation, as well as a consulting CISO. He co-founded the Jericho Forum and was previously the Global CISO for both AstraZeneca and ICI. He’s been awarded both “Chief Security Officer of the Year” and ""Best Security Implementation"" at the SC Magazine Awards and is twice listed as one of Network World’s “most powerful people in networking”. Paul sits on the global advisory board of a number of global companies. Paul is also one of the three global editors of the CSA v3 guidance document. Abstract: How we do Identity (and authentication) is well screwed-up, with the big names in the industry just as culpable as the smaller ones. Paul will detail the top 10 “Epic Fails” that our industry has implemented, is implementing and plans to implement; together with real life examples of why all of these are a **really bad idea**. He will also look at what you could be doing differently today, and also look at what we should be doing tomorrow to fix the problems. Paul will draw on the original work of the Jericho Forum Commandments (2004), the Identity commandments (2009) as well as the Cloud Security Alliance “Guidance” v3.0 Domain 12 for which he was the editor.
Continuous Security Testing in a Devops World by Stephen de Vries Biography: Stephen is the founder of the BDD-Security project and 13 year application security veteran having worked as a consultant at KPMG, Internet Security Systems and Corsaire. He's currently focussed on building tools to support security in the software development lifecycle and provides security training for developers and QA staff. Abstract: Devops and Continuous Integration practices present unique challenges to security teams, such as when to perform a penetration test when new code is deployed to production hundreds of times per day? In order to match the speed of development, security teams need to rethink their approach to testing. This talk will present the BDD-Security framework which is designed to solve some of these challenges by providing security teams and developers with the tools to: a) Specify the security requirements in a human readable form b) Make those same requirements executable tests that can be run against a target application c) Record and test business logic vulnerabilities c) Integrate these tests into continuous integration and continuous deployment environments so that security testing can be performed continuously and on-demand. The BDD-Security framework is not a web scanner. It is a testing framework built on JBehave, Selenium and OWASP ZAP that translates the world of security requirements into something that developers understand: executable tests, written in English. The talk will include a live demonstration of configuring and running the BDD-Security framework to test a web application and will also show how to integrate it with the Jenkins CI server so that security tests are run after every new code commit.
CSRFT, A Toolkit for CSRF vulnerabilities by Paul Amar Biography: I am still a student in computer Science and passionate about Information Security. My main interest for the moment is about Web vulnerabilities. Abstract: Cross Site Request Forgery vulnerabilities are a growing danger and yet there aren't virtually any tools allowing for easy and fast proof of concept prototyping. Therefore, my talk is dedicated to a tool that I'm currently developing to create a generic platform for CSRF vulnerability works. The project has been developed with Python, js/NodeJS, and configuration files are in JSON format. I'll also present a HTTP proxy I developed that you can combine with the toolkit to inject malicious iframe in each page the user is browsing. Moreover, most of the people think that those vulnerabilities are not relevant if the user is not logged into the vulnerable platform. However, I'll explain how, with my custom toolkit, you can take advantage of those vulnerabilities even if the user is not (yet) connected to the platform. During the talk, i'll present the tool, its purpose, give several demos on how to use it and show its real strengths such as performing complex CSRF exploitation techniques using custom scenarios designed for the conference.