Dylan Wheeler was a member of the Xbox Underground international hacking group in 2011, the events of which were featured in many articles including Wired USA. Since then he began a career as a white-hat security researcher. Recently, his team at Day After Exploit Ltd discovered a vulnerability in Atrient's system. The discovery led to Wheeler being allegedly assaulted by their CFO. This demonstrates the issue in the industry when it comes to the treatment of security researchers whose work is vital for the community. To prevent threats, the disregarding of information and further possibility of assault, there needs to be more awareness of appropriate practices for researchers and vendors. How should security researchers communicate and how should vendors respond? There are many common problems to discuss such as what to do when there is no bug bounty program in place and how can researchers ask for rewards from vendors for their hours of work. The world of information disclosure can be treacherous but if handled correctly it can be beneficial to all parties involved.

Security researchers and professionals are often left with frustration after trying to report vulnerabilities and issues that have been discovered. We will be detailing a real scenario where reporting an issue turned into a changing point in business. We often think of corporates as giants with fingers in their ears, but what if you're a scary jerk that's equally to blame? After a handful of angry emails back and forth and some disruption caused, what was uncovered is that actually, there were humans at both sides. Dealing with a security issue is more than an instant fix and we will be showing why efforts are not always initially met with gratification. We managed to set in action something magical... This is a tale of two sides and hopefully, a comedy With an intriguing outcome for all.

When you look at sandboxes like Cuckoo, the idea of creating your own automated sandbox might sound next to impossible, but it's not nearly as hard as you might think. This talk is about what you need to build your own, from scratch, for next to no money.

This talk will look at how to determine what security and privacy risks are worth accepting and the security benefits and downfalls of accepting and making payments using everything from PayPass/PayWave, EMV (Chip), Venmo, AliPay to ApplePay, Google Pay and PayPal. While the security and ease of use of payment tech has improved dramatically in the last 20 years, this talk won't explore every option. Specifically I will leave the costs and benefits of using cash and cryptocurrencies up to the viewers own imagination.

Cybercriminals almost always pick the lowest hanging fruit, and consequently, as tools and technologies for protecting ourselves and our data have gotten more sophisticated, they have shifted more towards exploiting human behaviour to gain access to systems, credentials, and data. Unfortunately, our investment in resources and research into human factors hasn't kept pace with their exploitation. The problem is many of the behaviours that protect us against threats using strong and unique passwords, reporting spam and social engineering attempts, and securely sharing sensitive documents are tedious to engage in. How do you get people to do things that aren't fun or interesting, or part of their core job responsibilities? The predominant model in Behavioral InfoSec uses fear, uncertainty, and doubt (FUD) to promote good security behaviour, but results have been unimpressive. We propose another way, turning the human tendencies that threat actors exploit to our advantage in the fight against them. Using real-world examples from within information security, and drawing on the field of health promotion as an analogy, we will talk about ways to help employees willingly take up good cyberhealth and hygiene habits.

SCADA systems are known for their deterministic nature. This determinism premise is not seldom tested using current best practice data science techniques. This talk will show the formalism that can be obtained using methods developed in research performed on utility data.

Kerberos and Splunk are both complex beasts which present plenty of opportunities for both red and blue teams. In this talk we aim to cover both sides by looking at how to attack and defend kerberos based attacks, along with how to evade detection and also what to do when you do get a detection! Hopefully leaving everyone with a better understanding and appreciation of their impact on an environment as a red team operator and providing blue team operators with insight into the weird and wonderful world of Splunk detections and how to categorise and act on certain events. The underlying message being, understand what you are doing, what Indicators of Compromise (IOC) you will set off, and what to do when there is a detection.

The following areas will be covered throughout this talk:

• Kerberos - How it works, Attacks, Tooling, Environment Footprint / OpSec, Evasive Maneuvers
• Splunk - How it works, Deployment, Plugins, Detecting Kerberos Attacks
• Response / Threat Hunting off the back of an alert, Honey SPNs Evasion
• Using Splunk Against itself, compromise through the Splunk Dashboard and through Splunk forwarders

Advanced adversaries are having to become increasingly more creative whilst carrying out their actions during an attack. The concept of 'Living off the Land Binaries' (LOLBins) is a good example of this, leveraging native tools installed by default in the Operating System to perform various stages of the Cyber Kill Chain. However, the malicious use of such tools is often trivial to detect/block, and could result in early failure of a campaign. It is possible however to take this concept one step further by leveraging native functionality provided by ubiquitous third party software. Such software is increasingly being targeted by APTs when conducting campaigns against organisations for example MeDoc and NotPetya. Whilst it is well known that third party software presents the risk of compromise through supply chain attack, less risk is considered around the features of such software. This talk will demonstrate a kill chain carried out almost entirely through functionality provided by a single software suite. This will be by way of a case study on AutoDesk's AutoCad, a market leader in CAD software. Further to this, at each stage of the kill chain we will provide insights that allow the concepts shown to be applied to other similar software.

All too often, an organisation's choice of cloud provider is made at a senior management level, without considering security features of the different services. To help make an informed decision, we'll attempt to answer this question at Security BSides: Who provides the best security features: AWS or Azure? Drawing on experience of cloud migration projects in each environment, core AWS services and their Azure equivalents will be demonstrated, describing the security features in each case:

• AWS Identity and Access Management vs Azure Active Directory
• AWS S3 vs Azure Storage
• AWS Key Management Service vs Azure Key Vault
• AWS Security Groups vs Azure Network Security Groups
• AWS Security Hub vs Azure Security Center

As a security analyst with an atypical entry into the information security world, one of my research questions posed in social engineering is why reading a diverse array of topics is beneficial to the social engineer, be it something they are passionate about or not. In building upon Defcon 24 presentation at the Social Engineering Village by Tomohisa Ishikawa: 'Does Cultural Differences become a barrier for social engineering?' cultural differences presented by different countries place emphasis on different genres; therefore, what one person from a certain country holds dear, the other may not. Therefore, your reconnaissance, pretexts and elicitations and the support required must be able to adapt. I have found this to be true. Reading/Watching/Listening like a 'Renaissance individual (knowledgeable on a variety of topics but not limited to select ones) ameliorates this challenge. The answer came from a combination of attending the Advanced Practical Social Engineering course in 2016 and a self-reflection; all the reading I loved and hated as a child and as an adult has given me an extensive web to build rapport through as a social engineer and improve my elicitation to procure more information . In my talk, I would like to discuss how to develop a strategy and which areas to focus on so you would be available to navigate even through the 'darkest of waters' and the 'coldest of individuals' and get information you would need.

Hybrid cloud environments are gaining popularity, but there's a hidden danger. Synchronizing between your open-premises and cloud directories opens your network to a new class of attacks. This session will demonstrate how hackers can exploit cloud directory connectors to access sensitive systems and data.

Containers,Cloud,DevOps and SDLC are all terms that are increasing in terms of usage in the InfoSec world. In this talk, we discuss how a container exploitation tool (BOtB) was developed to identify and autopwn common vulnerabilities in container technologies such as Docker and LXC and how this tool was used in a modern SDLC environment using common CI/CD technologies to identify, exploit and remediate container vulnerabilities before releases were made to production. In this talk we elaborate on how and why BOtB was built to be used by pentesters to exploit container vulnerabilities and how BOtB can be used by engineers to secure their container environments. The talk will also explain the technical details around the vulnerabilities that can be exploited by BOtB.

AWS Lambda, Azure and Google Cloud Functions are widely used cloud services which allow customers to create event driven serverless functions of short duration. To find out whether a 'bad' serverless function could lead to cloud account takeover, I created some code which I'll test live during the presentation. The demonstration is expected to show that a vulnerable and/or badly configured serverless function can be exploited to allow the attacker to perform unintended actions on the account, which in the worst case could lead to complete cloud account takeover. I'll then present "10 Steps to Lambda Security", providing a practical set of controls for serverless functions, which application developers and security professionals can use to reduce the risk of data loss and unauthorised access.

Malware applications and threats are frequent in the Android world. But they are few comparing to the vast number of benign apps that exist and come daily to the Android markets. In Mobile Security a lot of time and resources of automatic engines and humans are invested into the in-depth analysis to make a distinction between malicious and benign samples and to reveal new threats. Similar samples and near-duplicates cause analysis of almost the same code multiple times by engines, by analysts and by reversers. In this work we present a clones detection system capable to efficiently handle a multi-million Android app samples repository. Our approach is based on a propitiatory algorithm of DEX method digest and on an algorithm for near-duplicate web documents detection. We show that the system is applicable for Android apps indexing. We show that up to 30% of samples in our pipeline have near-duplicates in the history. The system allows us to reduce the analysis time by reusing conclusions in those cases. Malware families research can benefit from clustering of similar samples and analysis of every threat kind single time. In essence, the efforts can be concentrated on distinct samples.

Darknet markets come and go for various reasons. Over the last several years we've seen law enforcement take down several of the largest darknet markets to ever exist on the dark web. In a story that involves multi-national cooperation, death and deception, this talk will look at the fascinating story behind Operation Bayonet and the seizure and subsequent takedown of AlphaBay and Hansa. It will also cover the subsequent closure, in April 2019, of the leading darknet market, Dream.

This presentation briefly introducts DCISE and DC3, then dives right into an explanation about what Cyber Threat Intelligence (CTI) actually is. There is an emphasis on having the basics in place before worrying about CTI. There is an explanation of the Cyber Kill Chain using gifs and an analogy to the movie Oceans 11. Advanced Persistent Threats (APTs) will also be briefly explained and introduced with three examples (APT 28, APT 29 and APT 19). The presentation is geared for personnel who do not have much background in CTI or APTs (ideally for personnel new to cybersecurity or not focused on CTI).

This talk will show the digital and analog systems of the power grid and follow the rail of electricity from its place of production all the way to your tea kettle. This talk is different in that there are no bullet points only photos.

The SecDevOps-Cuse/CyberRange aims to be an open-source offensive/defensive security project providing aspiring & experienced cyber security professionals a bootstrap framework. It serves to automate the creation of a private training lab in AWS. This talk reviews the projects underlying technology components, identifies the dependencies, then outlines both use-cases & learning opportunities. The ultimate goal is to introduce a safe environment where security professionals work to expand their vulnerability management, cloud computing, & offensive security knowledge.

To some extent the darkweb is representative of the web during it's more formative years. This leads to a number of different emergent trust issues when people are looking to conduct illegitimate business on the dark web. With large amounts of cash flow through easily laundered digital currencies, this presents an attractive opportunity for criminals to mimic 'legitimate' criminal marketplaces. This talk presents the preliminary results of a systematic review of this phenomenon.

It is quite common in hardware testing to come across an IC package that either has no easily found datasheet or is a Blob on a Board. The traditional way of discovering what these are is to use Nitric acid, or some other energetic substance, to remove the epoxy coating to then allow the chip to be imaged and reverse engineered. Because Nitric acid can be mixed to create an explosive mixture, this often requires a licence to work with. In the UK, it is covered by the EPP licence. As such, getting hold of such substances is now harder, not to mention dangerous. This talk will discuss mechanisms that can be used to decap chips with common equipment that can be found in the home or local Hackspace - in particular, methods that don't require special requirements or equipment.

Cyber investigations are hard, and tying an online identity to someone in real life is tricky. Despite what others may have you believe, there is no "magic technique" or "secret method" that makes these investigations easy. It takes a lot of incredibly hard work, often a lot of time, and the realist is that most cases simply go unsolved. But - when you do solve one - it's incredible. My talk will walk you through two very different cyber investigations. One involved us attributing a mass-phishing campaign to what appeared to be a legitimate organisation in the Asia Pacific; the second recounts how we investigated whistle-blowing allegations that the General Manager of a Latin American manufacturing firm was collaborating with a local cartel. These investigations both posed unique challenges, and we had to implement different approach for collecting, interpreting, and assessing information. My talk will highlight some of the problems we identified during these investigations, outline how we solved them, and discuss the value of what we learned for next time.

Douglas Adams' Dirk Gently is a holistic detective believing in the fundamental interconnectedness of all things. People, processes, and technology are inextricably linked and the ability to understand the way in which they interact, influence, and are impacted by each other is the key to security. This talk will discuss the issues of unintended consequences and Rumsfeldian unknown unknowns. We'll see how quickly simple systems become complex and the impact that complexity has our ability to understand the problems, design out flaws, and to build and operate more secure systems. We'll take a look at a couple of case studies for the impact of underestimating seemingly minor causes of major security failures and the lessons learned. I will be talking about system modelling techniques and how these are used to identify flaws, inter-dependencies, and issues before they arise or if you're playing red team how to use this to find routes to root. I'll leave you with a quote from Dirk: "If you go to an acupuncturist with toothache he sticks a needle instead into your thigh. Do you know why he does that, Mrs Rawlinson? No, neither do I, Mrs Rawlinson, but we intend to find out"

There are a collection of new IETF standards being written that will ensure DNS and the SNI information will be encrypted. This will prevent DPI devices (or diagnostic software like Wireshark) from observing where a user is going on the internet. These have positive privacy and security improvements for end users but also introduce new challenges to defenders and network operators. This talk will give an introduction to these new standards, how they work together and what the implications are.

I've written a book and some blog posts, up until now I thought that was enough to get a student through the basics but I've learned from teaching a college class that in this industry a lot of us will assume a level of knowledge when speaking to others sometimes! This talk will discuss the difficulties and lessons learned from teaching an introductory security course to non-technical students and building on their progression. The age old phrase of those who can't do teach doesn't take into account how much one learns from teaching. Take a topic, break it down explain it and explain it more. Who has learned more here? Essentially the problem with most courses in higher education these days is they don't incorporate new and evolving topics, by teaching these you as the teacher become the student!

Thousands of organizations have already adopted the idea of inviting good-faith hacking to hack into their systems via vulnerability disclosure, bug bounty and next-gen pen test programs. Even so, the risk of prosecution under anti-hacking laws still casts a cloud over the hackers who are trying to help, and many programs haven't removed this risk by including Safe Harbor language within their program policies. It's not intentional -- the simple truth is that the market has progressed so rapidly that most have implemented crowdsourced security programs without realizing this issue, nor do they know how to how to fix it. Bilateral Safe Harbor language enables program owners to not only provide a strong incentive for good-faith hackers in terms of explicit legal protection, but also to outline exactly what constitutes "good-faith" hacking for their organization, and leave legal protections against malicious hackers intact. This talk provides an overview of Safe Harbor in the context of good-faith hacking and introduces a current effort to create a standardized, open-source, easily readable legal boilerplate for disclosure program owners all around the world to use. What is Safe Harbor and key takeaways from CFAA/DMCA Why we need a open source vulnerability standardized disclosure What is disclose.io How can companies participate How can security researchers participate How can legal community participate

If it seems like machine learning is everywhere today, that's because it is! From cars to home automation to toasters, AI is here to stay. The security industry has fully embraced this new revolutionary technology in order to better protect against today and tomorrow's threats. But what about the bad guys? Is this another example of a dual use technology that will be weaponized and used against us? This talk will examine the potential harms that can come from this powerful new technology and how it might be used to attack rather than defend.

An often over looked aspect of security is what happens when information is moving magicly from one device to another with no wires. we know this as (usually) WiFI or Bluetooth and any attacks are based off only these methods. but when you widen the concept of wireless communication. a lot more tools become available

This talk demonstrate advanced keberos based network attack in a hybrid Linux and windows none NTLM based environment. The talk demonstrates looking at windows Active directory from kerberos authentication prospect how an attacker compromise and pivot into network in a Kerberos authentication environment using Nix* MIT kerberos client.

• Kerberos authentication & Kerberos attack surface
• NTLM VS Kerberos authentication
• Deny all NTLM environment, pivoting with kerberos authentication
• Kerberos pre-authentication
• Kerberos stealth dictionary attack
• Missing kerberos auditing and kerberos logs

Women make up just 11 percent and minorities are slightly less than 12 percent of the cybersecurity workforce. Coming from a nonprofit background, which is an industry with a high diversity, to one where it is so unbalanced. It's disheartening and disappointing. I've connected with persons who are underrepresented in the field, and many after spending years in cybersecurity are leaving the field. From their shared experiences as well as my own, it is clear that the cybersecurity space needs to get real about the lack of diversity in the space, and the necessity to make changes as we approach the estimated shortage of 1.5 million cybersecurity professionals in 2019. In this talk, we will discuss our brains and how we label and prejudge, hear experiences of underrepresented people in the space, what can be done to fill the gap, and how to increase and retain the number of qualified candidates in cybersecurity.

In our talk we discuss a completly new and sophisticated attack that can be launched to steal Black Box machine learning models deployed on cloud. These days businesses are totally built around trained Machine Learning/Deep Learning models. Trained models are of high importance and are intellectual property of respective owners. ML/DL Models are often deployed on cloud and made available to end user using APIs. Researchers have found ways to Duplicate the model (hidden in cloud) using provided APIs. Such attacks are called Model Duplication attacks. Our research demonstrates a very efficient way to perform Model Duplication attack on Black Box Machine Learning models. We propose a mathemtical modification to traditional model stealing approach, called as GDALR (Gradient Driven Adaptive Learning Rate) that dynamically updates the learning rate based on the gradient values. This results in stealing the target model in comparatively less number of epochs, decreasing the time and cost, hence increasing the efficiency of the attack. It opens up a window to research and re-invent better ways to protect your cognition lying on cloud.

We often monitor systems and services for over utilization, packet loss, and swapping, but we do not do the same for people. When we attempt to measure people, we expect that they operate at full capacity all the time, hitting KPIs no matter the cost. Do we blame the server when it's overloaded or have too many services running on it competing for the same resources? No. However, when we think about the engineers maintaining our infrastructure and products, we extend them less consideration than our critical systems. This session will propose ways to monitor people availability and proactively avoid burnout.

Magecart is an umbrella term given to at least a dozen cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. In a few short months, Magecart has gone from relative obscurity to dominating international headlines and ascending to the top of the e-commerce industry's public enemy list. Responsible for recent high-profile UK breaches of British Airways, Sotheby's, Cancer Research UK and Vision Express UK in which its operatives intercepted thousands of consumer credit card records, Magecart is only now becoming a household name. However, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years. In this session we'll cover the evolution of the groups from 2014/2015 to the present day, detailing their the current tactics and techniques used to compromise website JavaScripts.

This talk examines the online tactics of Junaid Hussain (Aka TriCk) as a hacktavist and later as a member of ISIS. The talk will cover: - Hussains hacking abilities - The hacks he and his crew perpetrated - How Hussain transferred his knowledge to propagandising for ISIS - Hussains role in ISIS' propaganda and recruitment efforts The main aim of the talk is to discuss how Hussain utilised his hacking skills and their effectiveness in relation to ISIS' objectives.

This talk is about a very specific form of lie we tell ourselves to sleep at night, and tell each other during the day. These lies aren't even our own, but we'll defend them to the bitter end, even engaging in online crusades to crush heretics who oppose us. These lies are gospel memes, handed down from authority figures in the Church of Securitology. In this talk I will critically examine parts of 4 Gospels from the Church of Securitology to help attendees understand their own logical blind spots, leading to poor decisionmaking. Drawing upon Nobel Prize winning models of thought (did you spot the combination of appeal to authority and regurgitation?), this talk will show how nothing is original, everything, including your own personality is recycled, and why you make such lousy decisions about everything, especially information security. Some of the sacred animals being sacrificed on this hill include:

• HTTPS
• 2 Factor Authentication
• Digital Surveillance
• Segregative events

The talk is based around the collective negative experiences of Nettitude's Red Team and how through these losses the team has become stronger, more successful and ultimately "winning" by improving the blue teams they are up against. The talk will describe some of the failures in OPSEC, difficulties in accessing/compromising objectives and how these losses have led to the development of new tools and techniques as well as creating an environment where adversity on an engagement is merely an opportunity to become better as a team.

Bitcoin, Litecoin, Ether, Ripple, Dogecoin, Dash, Blackcoin... even Bollywoodcoin: all of these cryptocurrencies, and several others, have been abused in malicious Android applications. In this talk, we discuss several recent malware - some have been discovered less than a month ago! There are alleged mobile Bitcoin miners, clippers etc. We reverse engineer live interesting samples, and also track cybercriminals' profits. Indeed, despite their increasing power, mining on smartphones has its limits. Can we really mine on a smartphone? If not, where is the profit for cybercriminals? Come, and you'll see :)

5 years ago, we published SherlockDroid, a framework to automatically inspect Android marketplaces and highlight the most suspicious applications. This system was based on application crawling, feature extraction (called DroidLysis), and machine learning and classification (called Alligator). We obtained excellent results (yes, yes :=) [1]. Recent techniques based on static/dynamic analysis and/or deep learning do not achieve significantly better results and suffer the same drawbacks. With SherlockDroid, there was less than 1% on false positives, which are so important for the Anti-Virus industry. We achieved those results with a close analysis of Android malware of 2014-2015. This led us to extract a fortunate choice of features for malware at that time, and also, we were using a lightweight innovative classification techniques. Note that our results were obtained based on large samples clusters (500,000 malware) and led us to discover more than 30 unknown Android malware.

Enough praise! 5 years later, we are no longer using SherlockDroid! And nobody is (as far as we know). Why? Maybe it wasn't that great ;) What has changed since 2015? This is what this talk is going to discuss. We explain the issues we encountered over time, and why after a while, we decided to abandon the project:

• Time to rebuild clusters with new samples and re-run learning
• Constant malware evolution: enciphered payloads, obfuscation, anti-emulation...
• Highlighting too many riskware.

[1] https://perso.telecom-paristech.fr/apvrille/docs/trustcom2015_apvrille.pdf
[2] https://alligator.telecom-paristech.fr

Working with many customers and lots of data on a network security monitoring platform inevitably leads to the question, 'how can I start to track my network hunting activities?' or 'how can I tie back my hunting outcomes to real impacts for the organization?' DFIR personnel invest lots of time in hunting today and threat hunting programs are encouraged as part of a mature and successful CIRT. However, management is looking for the 'so what' or metrics to demonstrate the value of threat hunting in real terms. After all, threat hunting involves dedicating man-hours from highly skilled professionals - a big investment for enterprises. Therefore, it is natural to want to collect data to drive decisions. How do you know if a hunt is worthwhile? Are you wasting your time? What could I do to become a more efficient hunter? There is plenty of information on suggested metrics to collect to start answering these questions (the 'what') but there is a lack of direction how this can be done in an operational workflow (the 'how'). In this presentation, we will demonstrate how to operationally track and report on hunt outcomes that has helped our customers demonstrate value from threat hunting operations. We will build and use a standalone JIRA/Confluence instance that is made available to all in order to help people identify useful workflows & metrics, formalize the hunting process, and see results in the context of the Mitre ATT&CK framework to drive smart and efficient decision making.

When writing malware, oftentimes we need a bit more flexibility (i.e. sneakiness) than the victim's "normal" network stack provides us. Perhaps we'd like to not worry about our source address being identified or maybe we'd appreciate not having to fiddle with host-based firewalls. Enter libpcap. Aside from powering tcpdump, it enables us to send and receive all sorts of strange (and hopefully invisible) network traffic we can use on the offensive side of things. In this talk we'll first take a broad look at what libpcap is and what it can do for us, then we'll explore how to use it to do devious things like circumvent host-based firewalls, grab interesting info off the wire, ask system processes call us back with shells, and keep pesky EDR connections from happening. Source code for all of the techniques discussed in the talk will be made available.

With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.

Attacking the 500 million password hash dump provided by Troy Hunt, using a new tool (hashcrack) for parameter selection for hashcat. I describe the approach taken, together with empirical results on what methodologies actually work when performing password cracking.

We present a new tool, hashcrack, to preprocess hash files and drive hashcat with sensible parameters, including support for automatic ntdsutil and responder DB extraction. Examples of good and bad hashing methods are given, as well as advice on how to do strong password hashing, and prevent credential stuffing attacks. We also do a walk through of cracking 500 million hashes from Troy Hunt/haveibeenpwned's NTLM password dump will be given, and a representative data set of mixed hashes (NTLM, sha256crypt, bcrypt, Drupal, Wordpress and others) will be provided for a CTF-type competition. See https://github.com/nccgroup/hashcrack - the tool supports many common hash formats including Cisco, UNIX, and Windows types as well as standard MD5/SHA1,2,3 etc.

A company, regardless of its size and market power, may go out of business or lose a lot of value because of a security incident on its information system. The number of vulnerabilities and the interest of cyber-attackers is only increasing. With the advent of the monetization of botnet cyber attacks or the installation of crypto-miners for example, the threats are going more varied and intensified, but less targeted. The vast majority of companies are digital and increasingly exposed on the Internet. The level of cyber exposure is also higher. The "Cyber" risk has become vital. Today, everything has changed and tomorrow everything will change even faster. Where manual analysis was sufficient, paradigms of risk assessment are moving towards more automation. But we need intelligent automation. The technological offer is not lacking, but after more than 10 years of experience, our observation is indisputable:

1. The best tools are only satisfactory in part of their capacities
2. It remains difficult to have a realistic and continuous visibility on the risks borne by the assets exposed by an organization.
3. Business processes tend to adapt to the tool capabilities rather than using these tools to support their cyber surveillance strategy.

Zimbra, one of the most popular open source email products, is a thick Java-based system with very large codebase and mature security history. In this talk, the researcher will walkthrough the process he took to dig into Zimbra internals and uncover a series of critical zero-days from it. The process combine several important aspect of any vulnerability research such as static analysis, dynamic analysis and exploitation tricks. They eventually lead to the discovery of several Remote Code Execution exploit chains, both auth'd and pre-auth.

Powershell is Dead....mibs! It probably is if you want to limit your attack tooling, but trush be told its very environment specific......from running noPowershell using the System.Management.Automation.dll, loading .NET v2 binaries to disabling defensive capabilities like AMSI, there are many ways to pilfer and remain undetected in an environment based on the maturity of the defensive capability. Is powershell Dead? Absolutely maybe..... The talk is designed to share information about the latest techniques (both defensive and offensive) that we have to face to emulate threat actors with various motivates and tactics. We will talk in depth about the current attack surface, technologies in play on Windows endpoints and some of the pitfalls of EDR products and how the offensive teams role is getting much harder. This will go into the depths of the System.Management.Automation.dll including commonly used techniques such as 'Add-Type' and 'Assembly.Load' in the .NET world. We will also cover some tips relating to process injection methods and tooling which can help detect such activities on an endpoint. The talk will also dive into some of the specific tooling involved including various alterations to PoshC2 and its C# implant, common opsec pitfalls we have been learnt along the way and how easy it can be to detect malicious actors depending on their capability. We will also look at what the world of Red Teaming will look like over the next 12-18 months and discuss the future of memory resident malware and the challenges facing both Red and Blue.

Pown.js is an opensource security framework built on top of Node.js and NPM module eco-system. It is designed to be flexible, modular and to offer a wide-coverage of technologies and features. This talk will give you some practical insights about building security frameworks. You will learn about our failures and successes and you will see a number of interesting demos exploring a number of cool features not available in other tools of similar caliber.

Defending an internal network seems to be a losing battle - in 2019 we should not rely so much on the perimeter as the ultimate defence, but we do. This is even more true when we realise that criminals don't care that a particular attack vector was not in scope of a pentest. In this talk I will present a working and usable malicious device - that is nothing new, but the novelty is how cheap and easy is to develop and implant the device, as this is the criminal approach (plus maybe some other total-pwn type attacks, that will be determined on the day). From that I will try to argue the case of shutting down the firewall and shifting the security... right? I will present the current solutions available (and free) to use that could move us away from the traditional approach to corporate defense and be better prepared against down-to-earth attacks. I do not work for any of the vendors, this is not a sales talk.

When dealing with modern JavaScript applications, many penetration testers approach from an 'out-side-in' perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.

As companies and organisations adopt more rapid development and release methodologies, it is becoming increasingly difficult to stay on top of the overall security posture of one's systems. While most employees and members want to ensure that they are doing the correct thing, they are under constant pressure to deliver. The purpose of this talk is to discuss how we can change the way in which organisations approach security while developing their tools and services, by providing tools and frameworks which would allow members of the team to carry out their work in a secure fashion with minimal effort and security knowledge. Automation being a key part of this equation, utilising several available tools and frameworks available currently. All of this to hopefully raise the awareness of security while encouraging a security culture.

The importance of security and privacy, keeping the data safe in healthcare is huge. We also need to be aware, that the criminal can harm the patient in many different ways, for many different reasons, with the goal to harm them, but also doing it by accident, just simple because we did make everything digital, put and connect everything online, without thinking about the need to make it safe and secure. We need the environment, with the organization that will make possible for infosec professionals to can do their job as best as possible. With good communication, team work, and good agreements, we can make a stable base to build safe and secure environment in the healthcare or anywhere else

Spear phishing is on the rise, and the more our lives are displayed online, the more information a hacker has to target us. This talk will describe our journey for a spear phishing attack, detailing how to pick and research vulnerable targets via social media, and then how to construct emails based on the information discovered. We will use real-life case studies from social engineering engagements, supported with statistics from the attacks and the resulting real-world consequences. After this talk attendees will understand: The effectiveness of social media in planning spear phishing attacks How to recognise common spear phishing attack vectors How to protect themselves and their organisation against spear phishing

With the advent of social networks followed by Secure Instant Messaging (SIM), privacy became more and more important for the public. To the point where SIM became a problem for some states. For one side this lead to the block of Telegram in countries like Russia and Iran and Instagram in Iran. But also lead to the appearance of cloned Telegram and Instagram applications under the cover of enhanced features or censorship bypass. When the reality is that, although allowed access to the legitimate service, would also allow its operators complete access to the contacts and chats for its users. Some of these applications can even be found on the legitimate Google Play Store with thousands of downloads and on some cases I around 1 million of users using these applications. I will show a various of examples of such cloned applications and the different techniques used to report back. I will also show that the developers of such SIM applications also bare some of the responsibility for these attacks, by lacking transparency and proper defaults on their applications. But also because some of their features are prone to be abused and still they decide not to do their due diligence on these matters. With my presentation I want the audience to understand that SIM are being abused to spy on public, in scales that are beyond comprehension. The problem is not limited to rogue application stores or to state sponsored groups, it can be deployed by any malicious actor with the proper knowledge. Finally, these attacks are possible not only due to the lack of security awareness of the public in general, but also because SIM developers are not doing their share to improve the security of their users.

How do you realistically emulate attacker behaviour? Whether you are testing your own defences, want to improve them or are investigating new attacker techniques, generating realistic adversarial behaviour is hard. The MITRE corporation released CALDERA last year, a very powerful (but underrated) attacker emulation tool. It allows you to implement your own attacker techniques and model attacker groups based on techniques they use. Using a clever, built-in decision planner, it will chain selected attacker techniques in order to execute a realistic end-to-end attack path. This talk looks at how you can turn new attacker techniques into CALDERA actions, how to chain them together and what that looks like in a controlled environment. Using LOLBins, webshells and Powershell weirdness, we'll look at how to do emulation right.

Security testing or penetration testing has been a career path that many are beginning to take. Penetration testing is the umbrella term for many different types of engagements, ranging from web, infrastructure and social engineering. With the growing risk of sabotage and/or corporate espionage it has been seen that many organisations are beginning to develop a tactical capability. In doing so, the term 'Red Team' has been coined to market such engagements. Red Teaming is the method of having almost free reign towards a target to stress test the full capability of the organisation. However, Red Teaming can be an expensive and resource intensive task. This talk discusses the cost and toolkit required to carry out Red Teaming. As well as the research and development towards making a covert disposable phone to help aide Red Teamers with the reconnaissance phase of a test without drawing attention to themselves within a day to day task.

We live in a world of competing nation states, proxies of those states and non-nation state actors. This competition manifests itself in any number of ways: conflict, sanctions, restrictions, embargo, assassinations, etc.

Clausewitz's suggested war as politics by other means so, the natural conclusion is cyber espionage, cyber-attacks and cyber influence operations are merely manifestations of a policy clash between two or more competing powers or proxies. Or are they? Join the speaker for an exploration of how nation state Advanced Persistent Threat (APT) actors have embraced cyber to further national goals through covert or overt means. This presentation identifies the strategies and legal counter measures available to nation states to defend themselves from APT attackers.

In this presentation, we will look at how to maximise your security awareness programme and improve incident response by developing a security champions programme. A security champions programme is a network of people within an organisation who are not cybersecurity professionals but work as a security representative, functioning in much the same way as health and safety officers. This can be a great way of scaling up your awareness-raising, improving two-way communications between the infosec team and the rest of the organisation, enhancing security without needing a big budget and improving the likelihood of an employee reporting an incident. But, building and maintaining a champions programme from scratch can feel daunting. It's also very important to align a champions programme with your company culture, which means you need to understand your current culture, how long culture-change can take and what elements of culture will be impacted by a champions programme. Thats where we come in! In this talk, the speakers will use their real-world experience of champion programmes to outline:

• Why a champions programme can be such a good idea for cybersecurity
• Steps you can take to establish a champions programme from scratch
• Why cybersecurity culture matters, including defining what we mean by "cybersecurity culture"
• How you can get busy people to become security champions when it is not part of their day job (and they won't get paid for it)
• Ways to monitor the effectiveness of your champions programme
• What some of the pitfalls of a champions programme are, and how to avoid them

Understanding the symptoms of stress, anxiety and depression and knowing the mechanics of our mind and brain can help us deal with difficult situations. Stress, anxiety and depression are on the rising in society, not only in adult population but in children and adolescents. Life in the modern world is fast and stressful. We feel the pressure to perform at work, in our private life, family life and finances and the quality of our lives decreases leaving us unfulfilled and anxious about our future. Our relationships with ourselves, the world and others are damaged by lack of time indefinite number of tasks and duties which need doing in a 24 hours period that is never enough thus stress leads to anxiety and depression.

Usernames cause a lot of debate. One significant issue is whether we should assume usernames are a piece of public knowledge, meaning that disclosed or exposed usernames should be classified as a low risk. But what are the real risks of exposing a username? Should reusing usernames across accounts - much like recycling passwords - be classed as a genuine risk? Without clear examples demonstrating the consequences of exposing usernames to draw upon, people fail to grasp the seriousness of the matter. This talk will use real-world case studies to demonstrate the risks associated with having a unique username that is shared across multiple services. It will also cover the importance of usernames in open source intelligence (OSINT), and the techniques used for gathering usernames and linking them to accounts. Finally, the presenter will show how usernames can be used to identify passwords from breaches, and then used to perform credential stuffing attacks across accounts or even tailored malicious spam campaigns.

There are plenty of username disclosure case studies to draw on. In 2018 we saw the OpenSSH username enumeration vulnerability that allowed for easy username brute-forcing, making the identification of valid user accounts trivial given a large enough collection of possible usernames. This means it is easier to perform a successful account compromise. Another example is the United Kingdom Internet Service Provider (ISP), PlusNet, where the ISP is opening exposing customer usernames via DNS PTR records for all static IP addresses assigned to both domestic and business customers. The talk will take PlusNet as a case study and show how username disclosure could be used to reveal personal information about PlusNet customers. Due to the often unique nature of usernames - and that domestic customers not only use unique usernames but also commonly use their full name as the account identifier - it is possible to use GEO IP lookups and some Google dorking to tie social media accounts to an IP address. This case study and demonstration will make it explicitly clear why we should care more about unique usernames being exposed to the public. The talk will conclude with a discussion around how we should be treating risks like this, and how we can limit the amount of linkable services online to increase attacker costs and avoid being yet another piece in the great OSINT jigsaw puzzle. Usernames are never going to never going to be a silver bullet; however, once combined with other intelligence, it becomes extremely valuable when targeting individuals or organisations. Attendees will learn:

• How malicious actors use usernames, including during OSINT reconnaissance and in credential stuffing attacks
• How personal customer information can be compromised by Internet Service Providers that disclose usernames through DNS PTR records
• How to reduce your online exposure and prevent attacks where usernames are abused to target organisations and individuals

What does Minority Report, Black Mirror, and 1984 all have in common?.. Well, turn up to the talk to find out. On a day to day basis we countlessly write notes, send messages and respond to emails. The question is, however, what does what we write actually show about us, and how can we use the meaning behind these pieces of text to predict crimes and attacks. This talk delves into just this - how machine learning, and specifically natural language processing and sentiment analysis, can be used to predict crime and security attacks. This, of course, comes hand in hand with talking about predictive policing approaches, biases in predictive policing, and how natural language processing can be used to automate this whole process.

In this talk, we discuss the lengths some organisations go to, in order to protect personal data, as opposed to those that say they do, once the personal data they were responsible for has been flooded onto the Web. It's a tale of breach after breach after breach, laced with some hope that certain firms are at least trying to do the right things. We all make mistakes, but we should at least give it our best shot at avoiding doing so. There'll be humour and music, as well as a very clear message that while many firms are doing the right things, there's a long way to go. The Beer Farmers will combine to deliver something hopefully entertaining, as well as current and educational.

An exploration of the ethics of hacking and the unintended consequences of whatever you might do on a computer. How you should conduct yourself as an ethical human being in the fascinating world of computer science.

Academic research on machine learning-based malware classification appears to leave very little room for improvement, boasting F1 performance figures of up to 0.99. Is the problem solved? In this talk, we argue that there is an endemic issue of inflated results due to two pervasive sources of experimental bias: spatial bias, caused by distributions of training and testing data not representative of a real-world deployment, and temporal bias, caused by incorrect splits of training and testing sets (e.g., in cross-validation) leading to impossible configurations. To overcome this issue, we propose a set of space and time constraints for experiment design. Furthermore, we introduce a new metric that summarizes the performance of a classifier over time, i.e., its expected robustness in a real-world setting. Finally, we present an algorithm to tune the performance of a given classifier. We have implemented our solutions in TESSERACT, an open source evaluation framework that allows a fair comparison of malware classifiers in a realistic setting. We used TESSERACT to evaluate two well-known malware classifiers from the literature on a dataset of 129K applications, demonstrating the distortion of results due to experimental bias and showcasing significant improvements from tuning.

An overview of adversarial machine learning and the associated attacks. A look at the place of threat modelling and a secure design and development process, to implement robust ML systems.

Authentication is a quintessential aspect of any web interaction. We dig deeper into the widely used authentication patterns, their commonly observed incorrect implementations and provide practical guidelines to implement them securely. We will focus on password, token, multi factor and password less workflows such as OAuth, WebAuthn, Cloud authentication and other emerging methodologies.

Blue-screens inbound. In this one we'll hold your hand as we walk through the process of attacking drivers in Windows kernel-land. This talk is meant to be an entry-level introduction to Windows driver fuzzing. No prior experience is required, but a knowledge of reverse-engineering, Windows internals, or the fuzzing process will be helpful. Attendees will walk away with basic knowledge and a step-by-step process of how to setup, fuzz, and triage crashes caused by drivers behaving badly.

As we continue to see the threat landscape evolve, with attackers learning lessons along the way, the latest threat vectors are arising where we least expect them - our business partners and administration tools. Increasingly, individuals and small businesses are being used as unwitting vectors for attack against larger, well-defended organisations. In this session, John will examine the history of supply chain compromise attacks and talk about some of the latest tools and tactics. He'll demonstrate how and why they work and how to prevent, detect and mitigate against this continually evolving threat.

At a time when user experience can make or break a business, app developers are turning more and more to third-party app analytics tools to help them get insight on how customers are interacting with their app. GlassBox, AppSee, Testfairy, and UXCam are a handful of popular analytics SDKs used by app developers to track in-app user behaviour, crashes, bugs, and other issues. The extent of the data collected by these Analytics and Attribution tools without it being clear in the privacy policy has raised several security and privacy concerns lately. Embedding 'Session Replay' technology to record the users screen received special attention from security researchers in the early 2019 as it can include privacy-sensitive data, such as login credentials, financial information or medical records. In this presentation we go over an in depth analysis of popular Apps we reversed, and show different methods they use to record users screen/session in both iOS and Android platforms. We further explain static and dynamic techniques to identify Session Replay capability in an App. We also discuss advanced techniques Apps implement to fingerprint mobile devices in the hardware, OS or Application level. Correlating this information with users identity, App developers or third-party analytics services can profile and attribute the user.