Talk Submissions and Voting

Voting closes at midnight on 4th of May, 2015! Please ensure you have voted by then.

There are 30 talks on offer and we recommend you take the time to read through the abstracts. At the bottom of the page is the form to vote with. Please select your top 10 talks. Please rate your top preference as one and then your second as two and so on for your top 10 picks

In order to vote you need to provide your email address and your ticket number or hotel booking reference. We reconise that a large number of you are looking to pick tickets up on the door so ticket number is not compulsory to vote - but we do ask that only those planning on attend actually vote.

If you want to go straight to the voting form click here which will open in a new tab.

1. From Scareware and Ransomware to Destructionware: The evolution of the Cyber Criminal and how to stop them.

Ian Trump - @Phat_hobbit

Abstract:

Introduction:

The evolution of malicious actors in cyberspace provides a fascinating look at the information sharing and militarization of hacktivists, hostile nation state actors and cyber criminals. Distinct patterns in the evolution of effectiveness and rapid exploitation of vulnerabilities are observable in the malicious activity inside business. Examining the development, methodology and resulting damage at small, medium and large organisations can present threat intelligence and mitigation strategies for all organizations.

Wyndham Resorts, Target, Home Depot and recently Sony have common characteristics of data breach; but also some distinct differences. Although it would appear most of these attacks were financially motivated, nation state actors have noticed the effectiveness of cyber attacks as a low-risk, high-payoff venture for Intellectual Property (IP) theft and subversion of "transparent" business negotiations.

Threat Landscape:

The evolution from simple scripts that scare individuals into downloading fake antivirus software or content fine pages to ransomware clearly shows an increase in the menace posed by cyber criminals. Not to be outdone by cyber criminals, nation state actors have been identified as being responsible for some of the most complex, damaging and extensive system penetrations in recent weeks.

Clearly, the Sony hacking story has captivated an audience worldwide as attribution challenges, financial damage, lawsuits, corporate embarrassment and IP theft have ravaged the company. So badly shaken was Sony by protagonists that it sparked an international debate and engaged the media in discussions of cyber war, cyber retaliation and calls for intervention by a government in the affairs of a corporation.

The technological challenges of extricating the intruders are one of the complications of data breach. Now companies are also being inundated with lawsuits and allegations of executive board negligence. The public, shareholders and financial partners are becoming increasingly hostile towards companies that have had a laissez faire attitude towards cyber security.

Mitigation:

As we examine the consequences of data breach with a kill-chain analysis there are many opportunities to defeat the cyber criminals and malicious actors. In the examination of all these high-profile data breaches indicators of compromise, exfiltration of data, examination of IT policies & procedures and life cycle management of technology are all factors to consider.

As an example of a business strategy, planning a data breach as an in-house exercise, or facilitated educational experience can move the business beyond panic and focus an organization on incident management, map-out post breach activities, practice business resiliency and plan crisis communications. Cyber sweat in training saves cyber blood on the battlefield.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Business, Management, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

2. Virtual Terminals, POS Security and becoming a billionaire overnight!

Grigorios Fragkos - @drgfragkos

Abstract:

Very few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Sale (POS) device or through a Virtual Terminal. All the certified POS devices and Virtual Terminal applications, make use of strong encryption and secure communication channels in order to connect to the authorisation servers, and complete the transactions. Equally, in 2014 we saw the evolution of POS-affecting malware, where some large/global organizations like Target, Home Depot, and UPS were targeted by the BlackPOS, FrameworkPOS, and Backoff respectively, ending up in millions of card details being stolen, and millions of customers being affected from identity theft and financial fraud.

Following on the above, during this presentation, a number of features (provided in POS devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, I will demonstrate the major difference between last year's POS malware targeting Card Holder Data (CHD) and a different approach, which targets the actual money directly. In other words, I will show you how I could have ended up with billions in my account, without having to steal a single card number. Dr. Grigorios Fragkos, follow: @drgfragkos

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can not be filmed.

3. DarkComet From Defense To Offense - Identify your Attacker

Kevin Breen - @KevTheHermit

Abstract:

DarkComet is A Remote Access Trojan that has been around for a while. It has been used by script kiddies and nation states alike. It is no longer in active development and It is well documented and understood. So why would you be interested in me talking to you about this bit of malware?

Because it has an vulnerability and a public exploit that can tell you a lot about the attackers campaign. How many machines has he infected, where are the infected hosts, what information has he stolen from these machines?

Taking the exploit one step further and adding a little imagination and forensics knowledge we can start to identify the attacker himself. Identifying the IP and domain is easy and will give you some info. But what if you could get his daily email address, Facebook details, favourite coffee shop, local library, copy of his CV and if you are really lucky a txt file containing all the credentials for his remote exploit sites and FTP dumps.

This presentation is not going to look at the deep technical aspects of the exploit instead it will start with the defensive posture against dark comet and extract some key information from an attack against you. Finishing with a case study showing what information can be extracted from the attacker.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentestres, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

4. Protecting your cloud server with a cloud IDS

Josh Pyorre - @joshpyorre

Abstract:

If you're hosting a website or other services in-house, it's trivial to watch your network for attack attempts and mitigate as needed. However, for the multitude of people using shared hosting, a VPS or who are running other services in the ""cloud"", the options to provide intrusion detection or attack statistics is limited

But maybe there's a way to build an Intrusion Detection System, through which public traffic can pass for analysis. I'm proposing some ideas for the creation of a cloud IDS using open source tools to watch over your ethereal servers floating high up in the digital sky. With this, you can hopefully see all the things attackers are attempting, much like you would if you had full control of your publicly accessible server.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, and Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

5. Attribution Resilient Malware using Public Anonymizing Networks

Darren Martyn - @info_dox

Abstract:

This talk demonstrates how one could go about creating attribution-resilient malware by utilizing public anonymity tools (such as Tor) to not only make attribution of said malware significantly more difficult, but also perhaps even cause misattribution of an attack to some third party.

The talk will involve building a simple proof of concept malware sample that demonstrates these methodologies, and hopefully point out some potential problems with current attribution methods in use.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentestres, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

6. Updating the Future

David Rogers - @drogersuk

Abstract:

Software updates are a nightmare. For users, for manufacturers and also for the hacking community. That zero day that gets binned after months of effort can really be upsetting. Or something.

Mobile phone software updates are difficult. Deploying to millions of users on fragmented platforms across networks that can be very limited is just plain hard. Put mobile network operators and a bunch of other stakeholders in the mix and it gets even worse. So how can we make it better? Do we have to submit to a vertical supply chain dominated by one vendor and their whims? Are users being deliberately sacrificed because end-of-lifing a product or platform is cheap? What about the device? Can we or should we even trust it? What is an acceptable time to fix?

The mobile industry is working on this, but it isn't easy. This talk discusses the many challenges and what solutions are being proposed. It also takes a look at what requirements are necessary for updating constrained devices in both the Internet of Things and Automotive.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

7. Evolution of SSL 1995-2025.

Christoffer Olausson

Abstract:

With cybercrime on the rise it becomes increasingly important to understand cybersecurity to protect your business. SSL, secure socket layer, plays a critical role in the multilayer security model. Todays presentation will adress known attacks such as Heartbleed and POODLE but also focus on the next generation of SSL.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek
This talk has been presented at other conferences and it can be filmed but release with permission.

8. What's with providing Security to Data Science?

Vishal Kalro

Abstract:

Data Science is a new age discipline to mine, analyze and process meaningful information from data. All organizations be it businesses, public sector or non-profits are getting dependent on Data Science for their marketing, sales, operations and even information security requirements. The size of the data, variation in data types and disparate sources, computing and real time analytic requirements make the traditional data infrastructure and security practices inadequate. To add to all this the user generated data raises questions around privacy and security

The presentation is focused on the holistic approach for securing Data Science Operations and it's underlining Infrastructure. Holistic security can be achieved by a matured governance framework, well defined processes and using technology as an enabler. The presentation will be a deep dive in discussing the common security concerns, issues and vulnerabilities related to Data Science Operations and Infrastructure. The focus in on discussing the conceptualized Security framework for Data Science Infrastructure which will provide complete data security along with compliance to various requirements like SOX, PCI, HIPAA, ISO 27001 etc.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

9. Introducing wifiphisher, a tool for automated WiFi phishing attacks

George Chatzisofroniou - @_sophron

Abstract:

WiFi networks are commonly plagued by two serious issues: i) management frames can be easily forged and ii) wireless devices tend to automatically connect to the Access Point with the best signal. The Evil Twin and Karma attacks exploit the above issues, allowing attackers to perform man-in-the-middle and phishing attacks.

This presentation will introduce wifiphisher (https://github.com/sophron/wifiphisher), an open-source tool that automates the process of launching WiFi phishing attacks. Wifiphisher comes with a set of community-built templates for different phishing scenarios.

The presentation will explain in detail how WiFi phishing attacks work. It will also explain the reasons behind the success rate of these attacks, showing how different Operating Systems (and users in different environments) react during these attacks. Finally, countermeasures will be discussed that could limit the exposure to such attacks for individuals and organizations.

The presenter says...

The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Management, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

10. Elliptic Curve Cryptography for those who are afraid of maths

Martijn Grooten - @martijn_grooten

Abstract:

Elliptic Curve Cryptography (ECC) is hot. Far better scalable than traditional encryption, more and more data and networks are being protected using ECC. Not many people know the gory details of ECC though, which given its increasing prevalence is a very bad thing. In this presentation I will turn all members of the audience into ECC experts who will be able to implement the relevant algorithms and also audit existing implementations to find weaknesses or backdoors.

Actually, I won't. To fully understand ECC to a point where you could use it in practice, you would need to spend years inside university lecture rooms to study number theory, geometry and software engineering. And then you can probably still be fooled by a back-doored implementation.

What I will do, however, is explain the basics of ECC. I'll skip over the gory maths (it will help if you can add up, but that's about the extent of it) and explain how this funny thing referred to as ""point addition on curves"" can be used to exchange a secret code between two entities over a public connection. I will also explain how the infamous backdoor in Dual_EC_DRGB (a random number generator that uses the same kind of maths) worked.

At the end of the presentation, you'll still not be able to find such backdoors yourselves and you probably realise you never will. But you will be able to understand articles about ECC a little better. And, hopefully, you will be convinced it is important that we educate more people to become ECC-experts.

The presenter says...

The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

11. How I Rob Banks

Freaky Clown - @__freakyclown__

Abstract:

An updated version of the very popular talk that has never been recorded!

Let me take you on a roller coaster ride that highlights all the security issues that I come across day to day as I run around and break into banks and other "interesting" secure sites. We shall cover everything from pigeons in bank accounts through to stealing vast amounts of classified materials, how I bypass locks and circumvent security, jumping fences and pretending im James Bond.

This talk is meant to combine light-hearted comments and demonstrations and photos, warning will contain swearing and will NOT be recorded

The presenter says...

The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek.
This talk has been presented at other conferences and it can not be filmed and is only for those attending.

12. My love-hate affair with Security Operations

Javvad Malik - @J4vv4D

Abstract:

I started my career in security operations. It was great - the world was at my fingertips with full admin rights across every single windows NT domain, RACF instance, Tandem, Unix and SQL box… it didn't matter that I never always fully knew what I was doing. The rush of making changes to the firewall in production in order to resolve a P1 incident was unmatched. I was like Eliot Ness, I was untouchable!

That was, until the business became overly reliant on its IT systems and any minor outage caused by me or my colleagues would escalate into a colossal f-up. We were unprepared, unplanned and caught with our pants down.

Many years after my SecOps days and much therapy later I'm coming clean about my love-hate affair with secops. The shady dealings, the password-resets for favours and how I escaped the life of lies.

The presenter says...

The level of difficulty of this talk is 1 and I consider it is suitable for any Geek
This talk has not been presented at other conferences and it can not be filmed but release with permission.

13. Why bother assessing popular software?

James Loureiro & David Middlehurst - @mwrlabs

Abstract:

Many popular software packages have gone through many iterations of white and black box testing raising the bar for attackers. Overtime the security controls become more effective, however these software packages have large evolving attack surfaces.

In this talk we discuss a case study which includes how we approached assessing Adobe Reader, how we made progress and why it is worth investing the time and effort on targets such as this. We discuss fuzzing, the sandbox and delve into the Javascript API. A refreshing look into how we can make a difference by looking at complex targets.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentesters, Hackers
This talk has not been presented at other conferences and it can be filmed but release with permission.

14. Threat Intelligence a new approach for cyber security

Alonso Silva

Abstract:

An increasing number of organisations and individuals fall victim to cyber attacks, despite having set defence mechanisms. Most victims implement a rather traditional perimeter-based approach to cyber security, defending against known attacks with solutions like anti-virus and firewalls, increasingly ineffective against targeted attacks by persistent adversaries. The growing number of successful cyber attacks being launched every year is a clear indication that this model is not working effectively, and is not sustainable. Forward-looking organisations are adopting a new model, informed by threat intelligence and more inclusive of the complete chain of operations necessary to launch, and defend against, a cyber attack.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management
This talk has been presented at other conferences and it can not be filmed and is only for those attending.

15. Crash all the Flying Things! - exploiting and defending aircraft collision avoidance

Joe Greenwood - @SeawolfRN

Abstract:

The engineering industry has been traditionally slow to adopt security, with the woeful state of ICS/SCADA systems as a prime example. This talk will discuss glaring holes in the Automated Dependant Surveillance - Broadcast system on aircraft, and how these can be used to cause aerial mayhem. Mitigations and defenses will also be discussed.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

16. Pentesters working together? Sounds like a joke... But lets make it possible

Johannes Stillig - @johanneslondon

Abstract:

Teamwork is essential for all penetration testing engagements to share knowledge and ideas. However collecting information and results can be painful and complex. Vulnerabilities and potential exploits might be overlooked and not used properly...

A whole penetration tests target can be missed and time and budget being wasted.

However managing results and the current project state of a penetration test is complicated and time consuming too. Although there are different collaboration tools out there many testers stick to manual ways of managing results and creating reports because tools are to complicated to use or modify for their needs.

Within in this talk a new collaboration tool based on the open-source software verinice (www.v.de) will be presented to the public. The tool will be providing testing teams with both a web front and a thick client to document results and progress. A big focus will be based on usability and the ability to modify the front end for individual needs. A build in report function allows the aggregation of detailed testing results in to different file formats.

To assess risk and the possible implications of vulnerabilities the OWASP risk rating methodology will be implemented into the tool.

The whole tool will be available for free download after the presentation and distributed under an open source license. The long-term goal for this software to also create a work environment for the digital forensic guys.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers
This talk has not been presented at other conferences and it can be filmed but release with permission.

17. OSXCollector: Automated forensic evidence collection & analysis for OS X

Kuba Sendor - @jsendor

Abstract:

We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on my laptop.

When alerts fire, our incident response team's first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we'll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector.

OSXCollector (https://github.com/Yelp/OSXCollector) is an open source forensic evidence collection and analysis toolkit for OS X. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) our crack team of responders had been doing manually.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentesters, Hackers
This talk has not been presented at other conferences and it can be filmed but release with permission.

18. osquery: Intrusion Detection using SQL

Javier Marcos - @javutin

Abstract:

osquery is an instrumentation framework for OS X and Linux. It exposes low-level operating system information as virtual SQL “tables”. This is a two part talk focusing on how Facebook uses osquery for incident response and intrusion detection and how osquery (a security tool) is built and tested.

Facebook recently released a new host instrumentation toolkit called osquery. Part of the osquery toolkit is an open source daemon that runs as a superuser userland process on production Linux and enterprise OS X infrastructure. The tool was developed to provide fleet-wide visibility for both proactive detection as well as response triage.

A response-based ELF/Mach-O binary has several implicit requirements: expect the OS is compromised, do not tamper with potential evidence, react as fast and efficient as possible. It's necessary to develop a somewhat-universal and compact binary with as few-as-possible dependencies. This binary needs to be tested on as many platforms as possible, using the most reliable information retrieval possible (syscall vs shell exec), and much more. During development, these straightforward response-based requirements became very burdensome for a team of open source developers.

We have captured our development and code architecture lessons into a hit list for any security-tool developer. Using osquery as a use case, this talk will cover the following:

1. Dependencies and compiling to resist tamperment
2. Building C++ for reliability and mostly-universal execution
3. Userland daemon process resiliency (for OS X, CentOS, and Ubuntu)
4. Configuration and logging integrity, signing, and authentication
5. Exposing protected host and network APIs

When run as a daemon or interactive shell, osquery can be used for intrusion detection or incident response. The daemon uses a schedule of queries to log operating system state changes. We will share our most effective queries to log high-signal behaviors used to detect compromise. osquery also wraps system event frameworks like IOKit, fseventsd, inotify, and udev. The events are queryable and may used the query schedule to log changes such as file creates and deletes or USB device insertion and removal.

Examples:
SELECT DISTINCT process.name, *
FROM processes AS process
JOIN listening_ports AS listening ON process.pid = listening.pid
WHERE name != 'cupsd';

SELECT *
FROM nvram
WHERE name NOT IN ('backlight-level', 'SystemAudioVolumeDB', 'SystemAudioVolume');

The interactive shell enables a security engineer to triage and explore system state during potential compromise. There are no execs or subprocesses used, 100% system API/syscall/ioctl integration or filesystem structure parsing. This guarantees flexibility and attempts to be as least invasive as possible. Facebook's intrusion detection team will share and discuss helpful OS X queries for incident response and compromised host investigation.

The behavior detection and incident response queries focus on:

1. OS X persistence: Easy, medium, hard methods
2. Host perspective network details
3. User and Application exploitation artifacts
4. Process and hardware device details

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Pentesters, Hackers
This talk has not been presented at other conferences and it can be filmed but release with permission.

19. Introducing the Cyber Security Practitioner Well-being Study

Chris Sumner - @TheSuggmeister

Jack Daniel - @jack_daniel

Abstract:

This short talk will introduce a study, to be piloted at Bsides London, which examines whether technical Cyber Security practitioners self-report lower levels of well-being and greater levels of depression/stress symptoms than their non-technical peers and general society; if so, what might be contributing factors and what are the broader implications for the profession and organizational/national security?

The talk will outline the rationale behind investigating factors such as Autism Spectrum Quotient, Personality and Attachment Styles in relation to well-being and stress related illnesses.

A shortage of skilled Cyber Security professionals has been identified as a key barrier to the growth of the security sector and the ability for nations and organizations to respond to cyber threats. Understanding well-being and depression/stress symptoms in relation to the Cyber Security sector is an important area and relatively unexplored area of study, as many of the personality traits that characterize a good Cyber Security practitioner may also predispose them to depression or stress symptoms

The presenter says...

The level of difficulty of this talk is 1 and I consider it is suitable for Any Geek
This talk has not been presented at other conferences and it can not be filmed and is only for those attending.

20. More budget, more experts and more tech won't make things better. Want to hear what will?

Douglas Ferguson - @pharossecurity

Abstract:

Fact.

Companies of all sizes, budgets and levels of expertise can be savagely impacted by threat tactics that are, at best, modestly sophisticated. Which is weird, because it seems intuitive that if you have all the experts, tons of budget, the latest tech and the big brand partners you'd be in a much better place. Right?

Question - Why is security hitting a glass ceiling for the level of protection we can achieve – and how do we break through it?

There's lots of theories about what needs to change. The Board need to ‘get it'. Security needs a place at the table. We need to ‘get the basics right'. Or we need next-gen real-time big data threat intelligence, depending who you talk to. And there's loads of reasons given about why security isn't able to get what it needs. The business only wants an ISO check box. It's impossible to show ROI. We're not regulated so the business has no reason to spend on security.

But are these facts? Or are they myths and red herrings that are distracting us from what really matters?

If you'd like to benefit from the tough lessons I learned inside a top 10 global bank about what it takes to make things better – and avoid the pain involved in figuring it out – vote up for this talk!

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

21. E-banking transaction authorization – possible vulnerabilities, security verification and best practices for implementation

Wojciech Dworakowski - @wojdwo

Abstract:

During 10+ years of my professional experience as application security expert I had a chance to verify many internet banking solutions. Most of the modern internet or mobile banking applications in Poland use some sort of second factor, such as TAN lists, SMS codes, time-based OTP tokens, challenge-response solutions, smart-cards, mobile tokens, unconnected card readers, etc. to let user verify banking operations and to protect against MitM or malware attacks.

As a result of security tests in pre-production, it turned out that is not very rare, for tested systems to have security flaws regarding implementation of those transaction authorizations mechanisms, especially in the business logic layer, that (if not detected and corrected) could allow attacker to bypass or weaken those safeguards. Vulnerabilities could be caused (as usual) by wrong decisions during planning phase or poor implementation. During this presentation I would like to throw light on transaction authorization mechanisms security.
The agenda will include:

• Discussion and some examples of possible vulnerabilities in a process of authorization of e-banking transactions (including incorrect assumptions and incorrect implementation), that could allow to bypass those security mechanisms.
• Discussion about resistance of selected transaction authorization mechanisms to common banking malware attacks.
• Suggested best practices regarding implementation of transaction authorization.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Management, Pentesters, Hackers.
This talk has been presented at other conferences and it can not be filmed and is only for those attending.

22. Proprietary network protocols - risky business on the wire.

Jakub Kaluzny - @j_kaluzny

Abstract:

When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.

We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of "security by obscurity" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.

The presenter says...

The level of difficulty of this talk is 4 and I consider it is suitable for Techies, Pentesters, Hackers, Any Geek
This talk has been presented at other conferences and it can be filmed but release with permission.

23. Power to the People: bringing infosec to the masses

Jessica Barker - @drjessicabarker

Abstract:

To truly make a difference in infosec, our industry needs to better understand the people using technology and systems: what they're worried about and scared of, and what motivates their behaviours. Combining primary research which explores how the average user feels about cyber security and how this drives their behaviour, with sociological and psychological theory, this talk addresses the most crucial, and weakest, link in infosec: the human factor. This analysis allows us to better understand why behaviours aren't improving, despite far greater media reporting, and general awareness, of online threats. The talk outlines what we can do to engage with users in a more effective and positive way to change behaviours for the better.

The presenter says...

The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business, Management, Pentesters, Hackers, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

24. And how is your "awareness" program working for you brah?

Herbie Zimmerman - @herbiezimmerman

Abstract:

A year ago I gave a talk here at Bsides London in the Rookie track talking about what I had learned trying to start and build an awareness program at work. Fast forward a year, and I am still learning what it takes to start building a security culture (because awareness is really dead), and dealing with a failed awareness program. Through this time I have come to realize that building a security culture is like a marriage/relationship. If you don't have a certain aspects solidified, then you are doomed for heartache and wasted time.

The presenter says...

The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business, Management, Any Geek
This talk has not been presented at other conferences and it can be filmed but release with permission.

25. OpSec vs Attribution - the Hollywood view.

Stephen Bonner - @stephenbonner

Abstract:

Many of the nation state approaches to cyber security require accurate attribution, however this has proved elusive as the majority of indicators are under the control of the attacker and their OpSec. As a regular contributor to BSides, Stephen will once again bring his irreverent (irrelevant?) style to review the lessons that Hollywood provides in TV and Movies both of OpSec and Attribution and will discuss how these portrayals are affecting attacker, defender and political approaches to these problems. (Popcorn will be provided)

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Any Geek
This talk has not been presented at other conferences and it can not be filmed and is only for those attending.

26. OWASP Security Knowledge Framework

Glenn ten Cate - @FooBar_testing_

Abstract:

"OWASP Security Knowledge Framework Project The OWASP Security Knowledge Framework Project is intended to be a tool used for building, verification and training. It's the first step in the Software (AND Security) Development Life Cycle.

It is an expert system web-application that uses OWASP Application Security Verification Standard. It support developers in pre-development (Security by design) It support developers after release of code (OWASP Checklist Level 1-3)

Our experience taught us that the current level of security the current web-applications contain is not sufficient enough to ensure security. This is mainly because web-developers simply aren't aware of the risks and dangers are lurking, waiting to be exploited by hackers.

Because of this we decided to develop a security tool in order to create a guide system available for all developers so they can develop applications secure by design.

The security knowledge framework is here to support developers create secure applications. By analyzing processing techniques in which the developers use to edit their data the application can link these techniques to different known vulnerabilities and give the developer feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner.

The second stage of the application is validating if the developer properly implemented different types of defense mechanisms by means of different checklists such as the application security verification standards.

By means of the answers supplied by the developer the application again generates documentation in which it gives feedback on what defense mechanisms he forgot to implement and give him feedback regarding descriptions and solutions on how to properly implement these techniques in a safe manner. "

The presenter says...

The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Management, Pentesters, hackers
This talk has been presented at other conferences and it can be filmed but release with permission.

27. Seccubus Automated Security Scanning

Frank Breedijk - @seccubus

Abstract:

"Seccubus automates vulnerability scanning with: Nessus, OpenVAS, NMap, SSLyze, Burp, Medusa, SkipFish, OWASP ZAP and SSLlabs

Why Seccubus?

Anyone who has ever used a vulnerability scanner like Nessus or OpenVAS will be familiar with one of their biggest drawbacks. They a very valuable tools, but unfortunately they are also very noisy. The time needed to report on the findings of a scan is often two or three times the time needed to do the actual scan. Seccubus was created to more effectively analyze the results of regular vulnerability scans. It was designed with defenders in mind who have to scan the same infrastructure regularly.

How does it work?

Seccubus runs vulnerability scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI where findings can be easily marked as either real findings or non-issues. Non issues get ignored until they change. This causes a dramatic reduction in analysis time. Before the results of a vulnerability scan are imported into Seccubus they are first converted to the Intermediate Vulnerability Information Language (IVIL) format to make sure Seccubus can work with many different scanners

The presenter says...

The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Management, Pentesters, hackers
This talk has been presented at other conferences and it can be filmed but release with permission.

28. Operationalising SANS Top 4 Controls

Gavin Millard - @gmillard

Abstract:

As new vulnerabilities are disclosed every day, new systems spinning up every minute and the data you need to protect increasing by the second, the ability to continuously monitor the infrastructure for weakness is fundamental to having confidence that a breach couldn't occur or hasn't already happened. With this new threat landscape we face, it's critical that organisations ensure that the security controls in place are working effectively and efficiently and that when a control fails, that full visibility of the indicators are identified quickly to reduce the impact of a possible loss of confidential data.

Key takeaways from this presentation include:

Understanding where the true threats reside within the infrastructure.
What effective metrics can be applied to your security controls to gain insight into how each part of the organisation is performing and where holes in the security program are.
How to communicate the value of the security controls upwards to management and expectation downwards to the operational team to secure budget and reduce the risk of cyberattack.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Pentesters, hackers, Any Geek
This talk has been presented at other conferences and it can be filmed but release with permission.

29. Attacking Attribution Attachment

Andrew Hay - @andrewsmhay

Abstract:

Does attribution matter? Unless you're a Government or Government-backed entity, probably not. Let's face it, the average organization doesn't have the ability to launch kinetic responses such as drone strikes or the invasion of the offending country or regime. What's more important than the WHO-finger-pointing are the tactics and infrastructure wielded by the attackers. You could rely on a handful of threat intelligence feeds to tell you how you're being targeted but, let's face it, threat intelligence feeds were designed to be applicable to a wide audience. Once thought of as unique, each feed has quickly become commoditized and indistinguishable from each other - often sharing feeds between vendors and aggregating free feeds from the same sources.

This talk will explore the attribution that matters to organizations targeted by opportunistic attackers and the advanced adversaries looking to exploit our weaknesses. The WHAT's, WHEN's, WHY's, and HOW's will be explored to give organizations a better chance at tracking the threats facing their respective organizations. A model will be presented to show attendees how to focus their organization's gaze on the threats targeting their respective industry verticals, company size, geographic locations, and security controls. We'll also explore how to look at adjacent industries, companies, and geographies in an effort to expand our net of critical information consumption by presenting better ways to look at your threat intel feeds."

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management
This talk has not been presented at other conferences and it can be filmed but release with permission.

30. We are not unique

Jelle Niemantsverdriet - @jelle_n

Abstract:

We like to think we are special snowflakes in our field of security, however a lot of our problems are decade if not century-old problems that other disciplines like medicine, economics, marketing or psychology have been dealing with for a while. We will explore some of these other fields to learn some practical new ways to look at our challenges and improve our effectiveness through seemingly small tweaks.

The presenter says...

The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Management, Any Geek
This talk has been presented at other conferences and it can be filmed but release with permission.

31. Intelligence led Penetration Testing - applying attack tradecraft and tools

Cam Buchanan - @buckybilson

Abstract:

As cyber-attacks become have become sophisticated and prevalent, it is key that penetration testing evolves accordingly to continue to add value to the organisations that use it as a key security control. Utilising threat intelligence and OSINT as the scoping tools to make a penetration test bespoke, relevant and realistic to our clients is something that BAE Systems is currently focussing on. Part of our approach involves collecting, repurposing and mimicking real attack toolkits and techniques that are attributed to threat actors that we have collected through our Threat intelligence and incident response work.

The focus of this presentation is how to use both general threat intelligence and recovered attack toolkits to define and deliver this type of highly focussed testing. It will use references to examples of tool repositories we have access to, malware we have reverse engineered and tools we have written to replicate real attacks.

The audience should leave the presentation with an understanding of the process of turning a threat intelligence report into a set of actionable tests, that emulate the behaviour of distinct attack groups and tools and how they might apply this to future STAR and intelligence led penetration testing assignments.

The presenter says...

The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Pentesters, hackers, Any Geek
This talk has been presented at other conferences and it can be filmed but release with permission.

Please click here (opens in a new tab) to vote

In order to vote you will need to select the top 10 talks of your choice and rank in order of preference (i.e. your most preferred talk gets a rank of one) and provide us with your email address and ticket order number or hotel confirmation number

Please note, failure to provide a valid e-mail account may result in your votes being rejected.

You can change your vote at any time during the voting period by resubmitting the form, only your latest votes at time of closing will be counted. If you encounter any issues during the voting process please contact cfp at securitybsides.org.uk detailing the issue and we will assist you.