Voting closes at midnight on 10th of April, 2018! Please ensure you have voted by then.
There are over 60 talks on offer and we recommend you take the time to read through the abstracts. At the bottom of the page is the form to vote with. Please score at least 10 of the talks to your preference. Please score the talks you would like to see from 1 to 10 (10 being the highest).
This year the submissions will be presented anonymously. This was both request by a some of the speakers and decided by the CFP board.
In order to vote you need to provide your email address and your ticket number or hotel booking reference. We recognise that a large number of you are looking to pick tickets up on the door so ticket number is not compulsory to vote - but we do ask that only those planning on attend actually vote.
If you want to go straight to the voting form click here which will open in a new tab.
Inspired by Brass Horn Communication's OnionDSL Quad Hop Onions are a proposed web hosting option from Ablative Hosting that takes the usual Tor 3-hop Onion service but instead of pointing the Hidden Service mapping to a local IP:Port on the server running the Tor daemon it connects to a host that resides in an unroutable LAN. LAN egress is only possible via the presented SOCKS5 proxy reducing the chances of accidental information leakage or remote callbacks by implanted NITs etc.
To enhance your security posture effectively you need to understand your business and the people within it. Awareness and education of risks is vitally important to this success, this is not about spotting phishing emails but everyone understanding the daily risks posed to your business. Is DDoS your biggest worry, or it is data loss, this all depends on who you are
Hacking SCADA, or more commonly ICS is serious business, unlike other areas of offensive security one mistake can cost lives. The speakers will present their ICS research, walk through caveats, protocols and show some demos. We will also show how you can start researching industrial systems safely and cover what you need to know to not get someone killed. We will also share the story and method behind how we cost a company £1.6M in lost earnings with only 4 lines of code. We will not be showing exploit code as we believe given what's at stake, it's highly irresponsible, what we will do is give responsible researchers the knowledge they need to get involved and start helping to secure critical infrastructure.
They say Crypto is hard, OpSec is harder. This talk will combine proper operational security techniques with Porthunters experience in the field, you will walk away with practical OpSec know-how and ideas on how your operations can be more secure. We will cover the heros, loosers and funny stories from the world of OpSec.
In this talk, I describe my firm's journey from having all of its (100+) web applications exposed to the internet with *zero* protection, our journey from a chronic DoS incident, through to a trial, error and final success story of holding back the bad guys. Is it perfect? No. In the talk I'll discuss the pros and cons.
Red teaming is everywhere and everybody is doing it. Most organisations are not mature enough to be able to repel red team engagements / simulated attacks. The talk will discuss methods that organisations can employ that will disrupt the red team from achieving their goals; and it doesn't involve an expensive "magic box"!
In companies, we often see DPOs working with lawyers but without CISO or CTO and this is the most important mistake that is made on GDPR because several requirements are covered by the implementation of ISO 27001.
In fact, you have certainly implemented GDPR requirements without knowing it since some of the text refers to security and we can therefore rely on ISO 27001/2 fo security or even ISO 27005 for risk management.
The purpose of this paper is to see who should work together and how, and most importantly, of course, work on this common foundation and see how to use what your company has already implemented to use, adapt, and not have to start all over again
Dashboards are today very badly used, it is easy to perceive it in organizational audit or in CISO support mission.
Be "compliant", protecting the company from financial losses by providing results to insurers and not protecting the company from attacks is the new way to do security.
Workers are constantly being asked for numbers. Those information are concatenated, absorbed, rereconcatained, etc ... the more one goes up in the hierarchy.
In the end, security issues are totally drowned and other problems, which are more evident, are given priority in terms of processing.
I propose an analysis of the practices and issues as well as recommendations for a new and more secure governance... not based on compliance.
Star Trek: Beyond- Enterprise security- is a talk focused on the current problems with enterprise security using star trek: Beyond as it's main viewpoint and talking about the serious issues created when you believe that your company is the most secure. within this talk we'll go over the ways a hacker can get on your network whether its due to an improperly configured box or a physical security breach and what you can or rather what you should do to mitigate these attacks.
What can your internal users do?
Over the years I have come to the conclusion that in most typical environments any domain user if they desired could gain full admin access, change or delete any data or machine if they desired to do so.
And would this be hard to accomplish?
No, typically it takes arround 30 mins to four hours, and worryingly sometimes even less time to gain full admin rights of a typical internal network domian.
So now consider your employee's at work or students at a typical university, collage or school, they are already half way there with regards to the process required to exploit all, and why, because they have been issued with a standard domain account.
Without the constraints of time what could they achieve, have they already compromised accounts that belong to the domain administrative group?
And to those who hold accounts belonging to administrative groups, are you still in charge, or was your account compromised years ago?
Now this talk I will be presenting, I can guaranty you, that it will not be dull. If you love hacking this will be for you. I'm going to present how any user can compromise a typical network at any time they choose and then gain access to anything they wish internaly.
It will reveal common used techniques that I have personally used over the years, often these are simple techniques that could be used by anyone with a domain account or even without one.
What can disgruntled or malicious employees achieve, the answear to this will be detailed in full during the presentation.
I will be honest this talk will worry some, it's going to reveal how simple it can be to go from a standard user account to owning everything in the domain in a very short time.
What are your users doing?
We trust that the web application code executed inside the browser is exactly the code that was sent by our application servers, but that is often not the case. The reality is that current WebApps are very susceptible to client-side injections and tampering. This can be performed by malicious extensions, Man-in-the-Browser trojans, or any kind of injection attack (e.g. reflected XSS).
These attacks are very concerning not only because they change the behavior of the webpage right on the website that the user trusts, but can also be used to leak sensitive information that the webpage has access to. All of this, without the web application owner knowing anything about it.
Lazarus APT group is one large threat actor who is behind multiple widely known attacks such as Sony Pictures Entertainment hacking, Bangladesh Bank heist and Wannacry outbreak. In recent years, the biggest target of Lazarus is financial sector such as cryptocurrency exchange, and they are actively attacking as much as the value of cryptocurrency is rising.
When they attack, Lazarus use their own custom malware cluster named Manuscrypt, and configure their own C&C infrastructure to control infected hosts. To understand C&C server infrastructure of Manuscrypt, I investigate carefully each module from C&C server and their configuration. As a result of expanding the scope of the research, I can confirm their attack methods to penetrate targets and characteristics of C&C infrastructure.
In this presentation, I will introduce TTPs of Lazarus group for cryptocurrency exchange attack and characteristics of each modules for C&C server configuration and the feature of C&C server infrastructure. Eventually, attendees will understand whole procedure from attack preparation to mission completion of Lazarus group.
Malware hunting is a relatively new field in cyber security. A variety of hunting methodologies exist, such as the putting the defender in the attacker's position and trying to spot the "Crown Jewels" likely to be targeted within the organization's network, harnessing the power of Machine Learning and complex big data analytics, and more. All of these approaches are aimed at hunting the latest, most sophisticated threats.
In this talk, we'll discuss a new concept of malware hunting, stating that malware --especially nation-state malware-- is evolutionary. In this, it is similar to other software development projects. Each software program starts from a small code base, which constantly grows and changes as new features are introduced and old deprecated ones are removed. By looking at specific malware as a software project and by better understanding its evolution --including knowing what features were added or removed, when and why-- the hunter is able to spot specific unique functions that have remained, and will remain consistent over time. These unique functions can then be signed and searched within large databases of binaries (such as VirusTotal) in order to find new variants that have originated from the same code base.
Using this concept of looking at malware as an evolutionary software project, we were able to find new variants of Agent.BTZ - one of the world's oldest known nation-state threats, mainly known for the infamous 2008 U.S. Pentagon breach. We will show you, step-by-step, how we accomplished this.
Last September, hackers broke into as many as 2.27 million accounts of a computer cleaning program while targeting telecom equipment companies in the United States, Japan, South Korea and Taiwan.
When Avast, which owns the program, looked at the computer logs, it found just 23 compromised computers at eight different companies. The hackers' program was specifically looking for companies on a list of telecom equipment manufacturers and a few telecommunication companies, attacking many but only infecting a portion.
Avast's CCleaner software had a backdoor encoded into it by someone who had access to the supply chain, the main executable in v5.33.6162 had been modified.
The attack's analysis we did, showed a strong code connection between a unique implementation of base64 only previously seen in APT17 making a strong case about attribution to the same threat actor. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted specializing in supply chain attacks.
Our investigation got us to the conclusion that the complexity and quality of the CCleaner attack was most likely state-sponsored most probably to the Axiom group due to both the nature of the attack itself and the specific code reuse throughout.
In this talk we will demonstrate techniques used to analyze the code that led to those interesting findings. We will describe the attack process and technical flow in details.
The findings and methods we will discuss, have been previously published in two different blogpost and got extensive coverage in the media as well as the DFIR and infosec community.
Nation state sponsored malware has two major advantages over normal threat actors: the infection vector and method of exfiltrating data. Although governments have been known to monitor users or censor web content, little has been covered on their ability to weaponize this control to infect targets and exfiltrate data. It is publicly known that the NSA has QUANTUM and China has the "Great Cannon" and "Great Firewall" to inject packets, monitor information, or redirect web traffic.
In this talk, we will discuss the extent of a nation state's ability to not only monitor web traffic or censor content, but how these efforts have become weaponized by infecting specific targets through packet injection. We will demonstrate these weaponized uses through the analysis of what appears to be a Chinese state-sponsored malware called DCM.
The DCM malware receives information in the form of what looks like updates in legitimate software, using specially crafted packets to exfiltrate information in a manner that would require the threat actor to have control of the flow of data. This malware attempts to send data to IP addresses controlled by the U.S. Department of Defense, U.S. Air Force, and popular Chinese domains such as baidu.com and 163.com. These are obviously not hijacked servers being used as C&Cs and the malware contains unique evidence that the threat actors have control of the flow of traffic somewhere before the data reaches its intended destination.
For a lot of people, the industry of security is very exciting and there's always so many talks about how there's a skills shortage, we need more people! Well I saw the opportunity a few years ago and wrote a primer book on helping folks get into the industry, however 3400 copies later I've learned a lot more via reader feedback and want to give back some more to the community.
So with that said, this talk will take you on a journey of how I and many of my friends/followers/colleagues got into the industry, it will discuss the best ways to land your first job and how to effectively keep up with an ever-evolving landscape. It won't be a super technical talk but will touch on some technicalities of how to get through x and y.
A story of global geopolitics, economics and of nation state cyber attacks. This talk examines the fate of three APT1 victims, five years after the event, and explores how their fortunes have plummeted to the point of bankruptcy.
While HTTP/S communication is the most used protocol for app communication. Binary or other propriety network over TCP are less common, and therefore less studied. As a result, many obstacles are left open or unaddressed. Although intercepting and manipulating communication over TCP can be achieved with common tools, in some cases the client will not accept a random certificate of the MitM due to a certificate pinning. Kingpin is a TCP proxy that enables bypassing such protections, using the public-key of the original server as a MitM certificate. In this lecture, we will introduce the tool and demonstrate how to overcome several obstacles using it.
IoT is already embedded in our everyday lives, but despite the serious impact that IoT vulnerabilities may have on us, the security and privacy are sometime left behind. Bluetooth Low Energy (BLE), also known as Bluetooth Smart is the most popular protocol used for interfacing IoT and smart devices. Broadly used in the healthcare, fitness, security, and home-entertainment industries, nowadays we encounter BLE in almost every aspect of our lives (e.g. in wearables, sensors, medical devices, security products, etc.). This talk will demonstrate a possible BLE Man-in-the-Middle (MitM) attack leading the hacker to control our smartphones.
This talk will be about the basics of social engineering into a client's site/office. I think most SE talks focus on the more technical "human" aspects and I'm purposefully ignoring that side as I think the audience can often get scared by thinking they have to learn every facial micro expression to get into a client's office successfully. So, I'm going to focus on the basics, how to perform reconnaissance, how to match dress styles, how to make up a pretext that fits your knowledge, how to get real staff to help you, what to do if you do get in, why you should interact with staff, why you should practice being observant, and why you should leave people feeling better for having meet you.
Registering a new domain, obtaining a legitimate SSL certificate, and deploying it on a web server got much cheaper for threat actors thanks to free SSL services like LetsEncrypt. Detecting new phishing domains has always been a reactive process for security teams; just like malware, one cannot provide threat intelligence on phishing domains before they're registered and operationalized.
The development of the Certificate Transparency log network adds an interesting dimension for how this process can be improved. SSL certificates, and the domains for which they are issued to, can now be monitored in real-time. Security analysts have intuition on what a phishing domain looks like when they see it. Building a predictive pipeline to detect SSL certificates issued to new phishing domains can be accomplished very simply using supervised machine learning. In this talk, I'll introduce a Python-based framework for building this predictive pipeline from scratch.
Over the course the last few years, I have mentored several people who are just figuring out how to get started in cybersecurity. Some of them are interested in becoming Penetration Testers, some are interested in Cyber Threat Intelligence. I would like to break down the artificial wall some people think exists that it is difficult to get started in cybersecurity. Part of my comments will be drawn from one of my blog postings, which has a section about this topic. Attendees will learn how to get started on a path in cybersecurity, beyond (but including), the traditional bootcamps, and self-study methodologies. I also intend to take questions and make this a participative presentation/discussion. I will have very few slides, mostly so that attendees can get a link to the materials for access post-presentation.
Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have included Windows API calls, and short, simple loops involving assembly, counters, or loading libraries. However, security tools are increasingly able to detect and prevent these techniques, using methods such as accelerating time, returning false tick counts, intercepting API calls, and performing multipath execution. As a result, attackers are constantly striving to find new and creative ways to delay execution. Delayed execution is also of some interest to defenders, who try to implement it, in either manual or automated solutions, in order to frustrate the attack models of bots, botnets, and spammers.
Enter the timelock puzzle - a relatively unknown cryptographic construct whereby a puzzle is presented, the solution to which requires a certain amount of time or computational effort. Historically, timelock puzzles were proposed for benign applications, such as sealed auction bids, escrow, and the timed release of confidential information. However, they provide an interesting method of delayed execution which to date has been underexplored in security research, particularly as an offensive methodology. Specifically, they may present a significant challenge in malware detection and analysis, particularly for automated solutions such as sandboxes.
In this talk, I cover the history of timelock puzzles and their proposed applications for offence and defence, and examine some case studies. I then demonstrate several timelock puzzles which I have developed, including some novel constructions, and show through demonstrations how they can be weaponised - including both process hollowing within executables, and within VBA macros. For each construction, I explore the advantages and disadvantages for both attackers and defenders, and explain how they work, and why. I then turn to prevention and detection, presenting a heuristic model for generic detection of timelock puzzles, and cover the defender's perspective in the form of attacks against timelock puzzles, including parallelisation, predictability, and enhanced computational processing.
I then cover the challenges and feasibility of using timelock puzzles for good, discussing some of the models presented in previous work and a real-world case study where timelock puzzles could have been used to significant effect, break down a proof-of-concept defensive timelock puzzle I created, and some of the issues identified with it from an attacker's perspective.
Finally, I assess the practicality of timelock puzzles for both attack and defence, share some lessons learned from this research, and outline suggestions for future research in this area.
Our main motto of this session is to walk through the multiple vulnerabilities present in PBX that may possess threat to any individual or organization. This talk will demonstrate multiple exploitable security vulnerabilities including impact, attack scenario and mitigations that we came across while playing with different PBX. Hackers could explore the vulnerabilities to launch various security attacks and security professionals will learn how to mitigate against them. Our presentation will not be limited to the one, but many PBX vendors.
One misconfigured line of code results in anyone in the world being able to destroy or take over a production system in the cloud....
The speaker presents examples and demonstrations of real life cloud security issues based on his experience working on cloud migration projects and operational cloud applications for both public and private sector organisations.
He then discusses the root causes of these issues, and how best to mitigate cloud security risks, looking not only at technical controls such as automated testing and compliance enforcement, but also aspects such as knowledge, training, culture and organisational structure.
The discussion flow would start from the importance of browsers, need for security within it, my research and vulnerabilities found, and finally demonsration of zero day, apart from other exploits and attacks, against browsers. The talk would conclude with a discussion around remediation efforts to protect abhese attacks.
Over the years reliance on browsers has increased many folds. The features provided by browsers, along with its numerous extensions and components, browsers have seen a humongous increase in the number of users using it to browse different services. This provides a huge attack base to "research" and identify potential vulnerabilities which can be exploited in order to improve defensive controls.
The talk I will be presenting is entirely my own work of research. While identifying vulnerabilities in web applications and participate in various bug bounty programs is interesting, I enjoy targeting platforms which are less popular as research topics. Having said that, while security for browsers is a known topic, I've been able to identify, through my research, several vulnerabilities (including a zero day) which will help secure it further.
The issues I will be talking about are completely new within three specific domains - SOP, RCE and Address Bar Spoofing (ABS). These vulnerabilities, along with the attack scenarios are something which I've created through my research. I've also created, from scratch, an exploit code which can be used across several browsers for the same vulnerability. I will be showcasing a new metasploit module - CVE-2017-1129.
Original: Negative thoughts and self doubt can cripple your chances of success.
Let me share with you my story on becoming a Pentester without ANY previous experience. This talk is about how almost ANYTHING in life can be achieved with only 3 things - Determination, Persistence and Passion.
I started this industry with NO experience what so ever. In December 2015, I didn't even know what a VM was. In May 2017, I passed the OSCP exam. My passion for IT Security was sparked by watching YouTube videos and I became determined to become a PenTester.
I want to share with people my experiences. My talk focuses on FREE training and development. More importantly, I also talk about the 'soft skills' that are crucial to success. Things such as developing a plan and negative thoughts and how they can hinder our success.
My first ever talk was at BSides Leeds this year and even Cybrary.it contacted me asking if they could use the video on their website. It seems to have helped loads of people and I just want to help even more.
Security is routinely associated with lack of usability, and sadly,
deservedly so. Under regulatory demands we've seen businesses resort to
box-ticking, unwilling or unprepared to consider how their approach
impacts the overall security.
In this talk I will go over the major themes in security vs. usability over the past decades, and the lessons we've learnt on what works or doesn't. I will also cover both psychological and technical aspects of security, to lay out my vision for improving the landscape of our often contradictory requirements.
It's been said ''Intrusion analysis is as much about tcpdump as astronomy is about telescopes". Understanding who is attacking your or a customer's network and why is just as important as analysing the packets on it.
This slot will focus on a technical offender profiling framework that can be used to build a knowledge base on malicious actors. This talk will delve into the following areas:
The most advanced nation-state actors have a wide range of options in how to execute their offensive operations. This "optionality" allows them to project a particular profile (if detected) and potentially achieve additional non-technical successes. This operator world stands in contrast to the marketing and headline grabbing InfoSec community, where "Narnia is responsible for this attack" is the main objective.
This talk will focus on intrusions and attacks over the last 10 years, and how sophisticated actors have used particular tactics and and techniques to push confusion, attribution, successes far beyond the technical.
Hacking the Drones will cover security issues of some of most popular drones and how to hack those drones. It will cover video demonstration on how to get complete access of Drones. This talk will also cover brief overview of drone laws on flying drones in UK. Thirdly, It will focus on GPS Spoofing techniques and how private drones are different from Military Drones and method used to hack private drones.
Most of us base our security on assumptions. We assume our security tools, people and processes are working, vendor default configurations are right for us, if something was working before it's still working now, and ongoing configuration changes are accurate. The sad truth is, we've been doing security wrong for so long that it feels right, but statistically, more is broken than working.
Consider this, the great majority of organizations can't answer these basic questions. "Are we safe from the latest attack that's all over the news? Can we prove that our security controls are working as intended? Do we know if a configuration change negatively impacted our security effectiveness? Who can provide us with empiric evidence about the value we are getting from security?" It's time we answer these questions, and to do that we need to think differently about security and become a security hero.
As a security hero you can ensure that the dollars spent, plus the effort expended, results in value and increased security effectiveness. See firsthand, through use cases and demonstrations, how you can empirically determine what's working and what's not across your security stack. See how to fix what's broken, then validate that the fix worked. Understand how you can put an end to assumptions and environmental drift and communicate the state of security effectiveness to your stakeholders. Be the security hero your organization needs.
You have many security products, probably too many. But you are still not secure because it's nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security.
The advancement of Unmanned Aerial Vehicles / Systems has matured at a rapid rate. There is an increase popularity in market trends towards the concept of Urban Air Mobility (UAM) with the socialization of autonomous vehicles. The Urban Air Mobility (UAM) industry will face similar threats to already unresolved airport SCADA threats/vulnerabilities. Their cybersecurity vulnerabilities are similar to autonomous vehicles, since they both rely on sensors for navigation, acceleration, and obstacle avoidance. The presentation will review the feasible multi-vector attacks and impact for Urban Air Mobility (UAM) using the following components - Sensor Spoof, Electro Magnetic Interference, LiDAR Vulnerability, Acoustic Attack, Accelerometers Sensors, Gyroscopes. Countermeasures remain a challenge in the Urban Air Mobility (UAM) space industry presenting a new threat to the aeronautical community.
North Korea is an isolated nation ruled by a brutal and repressive hereditary monarchy. The Kim regime's totalitarian control over its own population and severe information controls have lead to a global misunderstanding of its strategic goals and motivations, as well as a host of inadequate policy responses.
The speaker proposes that tracking North Korean activity in cyberspace (on the internet) is one way to correct these misunderstandings, identify new pressure points on the Kim regime, and discover different levers to contain the North's nuclear development.
From the destructive attacks against South Korea and Sony Pictures Entertainment, to cryptocurrency operations, to tracking North Korean leaders browsing behavior, North Korea utilizes the internet like no other nation on earth.
During the presentation the speaker will also reveal new research into North Korean elites' internet activity and tie all the elements into a narrative about how we can use the internet as a lever to increase pressure on the Kim regime.
The speaker argues that the internet is indispensable to the Kim regime and that understanding this could help the West to blunt North Korea's nuclear ambitions and rewind the doomsday clock.
In many organisations, Cyber Security has become a taboo subject. The ridiculous amount of FUD surrounding security gives a sense of negativity and the belief that you can only fail, so why even try. Last year, the number one reported reason users did not report a ransomware incident was shame and embarrassment. So how, when most users feel hopeless and would rather do nothing than learn about security polices, do you create a successful awareness strategy?
In this talk, the speakers talk through how they developed an effective cyber awareness programme, from hypothesis to roll out, covering the challenges along the way, considerations, successes, and even a few hilarious failures.
Embedded devices and IoT have received a lot of bad press over recent years. The problem with embedded devices and IOT is that the ever-growing number of Internet connected devices greatly increases the chances of attackers achieving exploitation by discovering security weaknesses. For example, the Mirai botnet reached record breaking DDoS speeds in excess of 650 GBps back in 2016, by exploiting default logon usernames and passwords in commonly used home routers and Internet connected cameras.
This talk aims to cover how to get started finding and exploiting vulnerabilities in embedded devices and IoT. Along the way, the audience will learn some of the hardware and software tools of the trade, how to get started, common attack vectors, responsible disclosure, and how IoT overlaps somewhat with OT/ICS security challenges.
"We take security seriously" four words that are so easy to say, but what does it mean in the real world?
Are they just soothing words designed to pacify frustrated users in the aftermath of a breach? Or can these words actually mean something more?
I spent months speaking to security professionals and practitioners, as well as going undercover to speak to business owners which certainly rattled some cages.
Thankfully, I dodged many bullets, all in the name of attempting to quantify the unquantifiable - what does it really mean to take security seriously?
So come along, find out what the professionals think, what the general landscape is, what steps businesses can take, and maybe a few crazy side stories.
Random Numbers are important. Really f***ing important! Yet, they are so often misunderstood. Decent Random Number generation is relied upon by large chunks of our cryptographic wizardry, and yet mistakes are repeatedly made - and we're seeing these mistakes bleeding into IoT.
With the proliferation of 'smart' devices, what affects the security of these devices could affect anything from lightbulbs to pacemakers. The author's own research has found some real problems with embedded devices generating random numbers, some proposed fixes, and then some problems with those for good measure.
We will present an overview of what 'random' is (with little to no scary maths), the current state of the art, and overview of embedded devices RNG's, our assessment results, and how things can move forward.
This talk will give you:
This talk is about Network Security Monitoring with open tools such as Bro.org or Nikto, apart form Perl scripting using Linux, either alone or in groups using a distributed community system.
I aim to include a basic HOW-TO for creating a Network Monitoring Probe using a Raspberry pi with raspbian OS.
I want to talk about trust (or lack of it) in technology, conflicting messages and losing battles to make the regular user safe. I want to compress in this talk my observations, research and some proofs (with some finger pointing!) on how a lot of what we are doing to make the Internet safe is good and sound but it misses the mark when it reaches the untrained end user. I will present a brief but comprehensive overview of the DNS(sec) system, how well it was designed in terms of trust and how it's being misused, then move on with doing a similar overview of HTTPS/TLS and Certificate Authorities and try to find where the trust in that system is lost and finish with a bang about encrypting everything, everywhere.
The purpose of this talk is to draw the attention of infosec community, both those who implement the security and those who decide about it, that the normal user will only ever see the green padlock and get into trouble. I strongly believe that we can do more to help them be safe.
IPFIX is the ratified standard for flow export. IPFIX was designed for security processes such as threat detection, overcoming the known drawbacks of network management based NetFlow. One major enhancement in IPFIX is template extensibility, allowing traffic capture at layers 3 through 7 of the OSI model. This talk introduces IPFIX and describes the creation of BotProbe - an IPFIX template specifically designed to capture botnet traffic communications from the analysis of almost 20 million botnet flows. BotProbe realises a 97% reduction in traffic volumes over traditional packet capture. Reduction of big data volumes of traffic not only opens up an opportunity to apply traffic capture in new areas such as pre-event forensics and legal traffic interception, but considerably improves traffic analysis times. Learn how IPFIX can be applied to botnet capture and other security threat detection scenarios.
Human nature looks for shortcuts and can lead to "lets focus on the critical and high vulnerabilities then we may be able to fix the others later" which is a classic cause of technical debt. From a simple logic perspective this makes sense but fails to address chained vulnerabilities that represent a high or critical vulnerability, but individually are less impactful. CVSS scoring has its place, but its not a pure numbers game when it comes to securing your systems, you need to think more like a hacker in defending your information.
At MoJ I break things and find out how secure systems really are, in Feb 17 I found a high severity vulnerability in a high end Cisco data centre device. This was a CVSS8.8 but became several low risk vulnerabilities when disclosed to Cisco through responsible disclosure.
Is it possible for an android application to surreptitiously record a user's screen and/or automate user input? If so, how do attackers exploit it and how do application developers defend against such attacks?
This talk explores the functionality exposed by the Android Open Source Project (AOSP) framework that could be exploited to achieve screen recording or automated input on a stock, non-rooted android device. It then examines the defences placed by AOSP developers to prevent the abuse of this functionality. Finally a couple of vulnerabilities I've identified in the AOSP framework are discussed and demonstrated that circumvent these defences and allow an android application to record the user's screen and/or automated input.
Year ago I gave my first talk at BSides London.
And that was just a start, pritty nervous start, but with support and help from infosec world, lot did happen Lot of conferences, lot connections , lot of interviews, did learn a lot, want to learn more and it change my life.
My journey in infosec world:
In this talk we'll walk through the evolution of Browser Fingerprinting techniques which are used to model cross domain user behavior. In this privacy conscious world, where security engineers wearing the blue hat are trying hard to protect user behavior modeling, web-authors come up with new and novel techniques that bypass these protections and track users for financial gains. In this talk we'll look at how this cookie-less monster has evolved over years, starting from misusing web features like css styles, audio contexts, fonts, screen resolution/depth/zoom, canvas, security headers, service workers, 1*1 pixels, timing side channels. We will look at some mitigations that prevent these techniques, discuss design considerations for new features to proactively prevent such tracking and finally discuss on what users can do to protect themselves.
The Raspberry Pi is one of the most useful "Drop Boxes" out there, but can we make it better for Social Engineering exercises?
Intelligence aims to reduce uncertainty so that decision makers can select the best course of action for a given problem. As private sector intelligence capabilities continue to evolve, analytic tradecraft techniques are increasingly being incorporated into operational and strategic cyber threat intelligence (CTI) solutions.
Driven in part by its response to major security events such as the WannaCry attack in 2017, this talk focuses on how structured analytic techniques (SATs) can be leveraged to reduce uncertainty in intelligence assessments. SATs provide a framework for identifying discriminating evidence, producing sharp and robust assessments, and allowing easier collaboration and peer review by colleagues. Approaches such as the Analysis of Competing Hypotheses (ACH) and Cone of Plausibility are perhaps the most featured SATs in use today, but there are several other methods available. The talk will discuss specific use cases and highlight the pros and cons of these different approaches.
Attendees will learn about:
OAuth 2.0 is commonly encountered as a means for a user to authorize third-party websites to access to their account at web-based service providers, such as email providers or social networks. In addition to this, the OAuth 2.0 standard also describes methods to authorise an application running on a user's mobile device to access these services. In this talk we will explore the additional security requirements and challenges that this poses and review the mitigations which must be considered for both application developers and service providers.
This talk is based on BlackBerry's real-world experience of developing and securing applications using OAuth and is aimed at anyone building or breaking mobile apps that use OAuth 2.0. It aims to examine the OAuth 2.0 for Native Apps standard in detail and describe its components, configurations and modes of operation and highlight the key differences and considerations between web-based and native authorization. Common pitfalls will be examined, examples of how flawed implementations can be exploited by attackers will be demonstrated and the mitigations that can be used to prevent these attacks will then be explored.
The OODA (Observe – Orient – Decide – Act) loop is a conceptual model of human decision-making that we all use whether we are aware of it or not. Originating in military strategy, it is especially relevant when two parties have opposing goals as it makes it possible for one side to exploit flaws in their adversary's decision making process; conversely, understanding the OODA loop allows one to protect the integrity of one's own decision making.
This talk will briefly introduce the concept of OODA loops and explain why they are both relevant and useful in an infosec context through a number of case studies showing how the model can be applied to real-world attacks. It will describe typical OODA loops used by both attackers and defenders then explain how attackers' OODA loops can be disrupted to reduce dwell time and frustrate them in achieving their objectives.
Defending an organisation from all threats, be they physical, personnel, or cyber, is not easy and every organisation has it's own challenges. Company X is a security company itself and is lucky to have large numbers of security experts, however, they are generally all busy and cannot give limitless time to internal causes. As such, like many organisations, the internal security team at Company X has had to work out how to push security out to other teams, make the absolute most of expert time that we can, automate as much as possible and bring the rest of the company along for the ride. This talk will cover lessons learnt, successes and failures and what other teams could be trying.
Specifically the talk will cover:
Regardless of skill, anyone with an internet connection can stitch together a complex attack with very little effort. Organisations must understand their adversaries, both skilled and unskilled, in order to protect against all manner of threats. This presentation will demonstrate the tools available for purchase on the dark web, how easy it is to acquire them and how they can be used to target individuals and organisations both large and small.
Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM's and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today.
Next we'll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud detection mechanisms, and how they ultimately cash out.
Payment methods have changed vastly in the last 50 years. From the development of the ATM to the more recent adoption of digital payment methods. These days it's hard to find a shop, restaurant or café that doesn't accept card or contactless payments. In this talk firstly, we will demystify payment methods so that anyone can understand. What is NFC? EMV? and Tokenization? This talk will leave you with a great understanding of how payments work.
In the second part of this talk we will cover demonstrations of the risks associated with payments. If you considering integrating payment technologies into your business, or already accept payments, pay close attention. Working from case studies and our own experience, we'll dive into the different attacks that are possible with each transaction type. We'll look at techniques used to gain access to endpoints such as ATM's and POS's. Next we'll explore the tactics used to bypass fraud detection mechanisms, and the multipliers employed by attackers to make the payout huge.
Many organisations have been collecting security data for some time, in log management systems or their own security data lakes. Getting real value and security insights from that data however has been a real challenge. Traditional SIEM vendors have provided tools to ask simple questions of the data using correlation rules but deeper insights about user or entity behaviour are resistant to such approaches. In this presentation I will explore the open source tools and techniques for applying data science to your security data in order to identify what is normal behaviour and what constitutes a threat to your organisation. I'll look at the challenges you will face and some of the approaches for overcoming those challenges. I will explain why this requires a multi-disciplinary team and that simply hiring a data scientist and giving him or her access to your Hadoop data lake is unlikely to produce usable results.
While the nature of this talk is technical and detailed it does not assume any knowledge of Machine Learning and AI. Artificial intelligence based algorithms have proved to be very successful at learning to do very complicated tasks including playing games like Go, Chess and Atari games from the 80's. It is only a matter of time before these same techniques get applied on the offensive side to attack and exploit endpoints, applications and networks. On the flip side there are a number of solutions that claim to use AI and Machine learning to defend against those pesky hackers, let alone those persistent computer algorithms. The reality is that the odds are stacked against the defenders with the AI and machine learning problem more suited to offensive than defensive applications. The talk starts of by providing a lighting introduction to machine learning. This is followed by examining the state of the art in machine learning and AI with respect to Information Security and examine how this apply to both offensive and defensive uses. The presentation will examine how clever algorithms including reinforcement learning and math hacks may be used to trivially evade state of the art defensive applications. We also look at what our defensive options are. The presentation finishes by predicting where all this may lead and the impact on application security and network security in general.
Unfortunately today, hackers and cybercriminals have holidays, days off and vacations too - and It is very unlikely for them not to employ their infosec and social engineering skills and to organize their travel. We will talk on how they have created their own ecosystem, that exploits literally all hospitality and travel industry for their own needs. This presentation covers underground activities related to the Travel and Hospitality industries, including Underground travel agencies, cheap flights, hotels, car rentals and unveils mechanisms and modus operandi for these services. This includes a variety of abuses, from business process compromises to credit card fraud and exploitation of vulnerabilities in traveling systems and mileage programs. With this talk we hope to bring more attention to the on-going criminal activities related to travel and hospitality industries
Have you ever wondered about what makes a Zombie Apocalypse? I mean, what's the difference between an actual "apocalypse" and just a handful of Zombies who took a wrong turn and ate some people? Who even makes that call?
Whoever calls it, I'm guessing no-one ever expects the Zombie Apocalypse until it actually officially "happens". Right up to that point all you have a is a set of unconnected Tweets with blurred photos that people claim are Zombies, but nobody really takes them seriously.
I wonder if the same thing could be happening to us in security?
We're living in an extraordinary time. We're continuing to see a steady escalation in the intensity and complexity of nation-on-nation cyber campaigns. A nascent geo-political conflict between global players in cyberspace is now affecting innumerable private sector businesses, organisations and individuals around the world. As we witness conflicts between nation states in cyberspace, it's worth noting that they are occurring on the Internet - a stage that all of us share. Never has the realm of computer security been more followed in the mainstream, nor indeed has it ever played such a significant role in the day-to-day life of the average man on the street. The changes sweeping our domain today have far-reaching implications, not only for security but also for society. So many of these issues are being driven and shaped by things out of our control, and, as an industry, we need to start fighting these problems at the root.
As hackers and security professionals, we need to urgently note that these are issues that go far beyond the scope of our day jobs as defenders of corporate digital assets. We're going to have to come face-to-face with truly 'advanced' technical threats and learn the language of legislatures, court-rooms, media, military, intelligence and the political domain. There is an urgent need for cyber security professionals to be able to participate in discussions and decisions at levels far beyond our current comfort zone.
For those of us who can master these new skills, this is a once-in-a-lifetime opportunity to tangibly change the world.
This is a presentation that tries to make the link between lots of diverse 'Zombie' sightings in our space, and discuss how we need to move way beyond the question of technical skills and learn to assume a mature leadership role that can actually shape policy in support of our fundamental principles.
Wipers are an APT's new best friend. Traditionally destructive malware appears rarely in cyber espionage and generally runs counter to the conventional interests of an APT - intelligence collection/data exfiltration, persistence, and covert access, for example. Wiper malware now seems to be manifesting more often, emerging in APT toolkits and found in at least five wiper attacks occurring in just 2017, despite only a handful of other major attacks in the last decade. The minimal instances of destructive operations over the last several years suggests how cautious APT groups are about using wipers. Does this mean the motivations of state actors are changing? What are the different uses of these wipers? This paper will examine three different classifications of wipers through examples of various politically targeted attacks: espionage, sabotage, and diversion. Espionage will reference the usual motivations of state actors, while incorporating a new tactic; this will also describe the unusual appearances of wiper functionality in intrusions without its use in the wild. Sabotage will cover prominent examples such as Narilam, Shamoon, and DarkSeoul, which show the effects of deliberate system destruction. Finally 2017 will highlight the emergence of a new attacker strategy behind wiper use in NotPetya and the Lazarus Taiwan bank heist - diversion. This paper will argue that wipers have become a low-cost way for state actors to conduct destructive attacks, which have significantly more impact on victims as well as impede investigation into primarily non-destructive attacks. It will evaluate the new trend among APTs and conclude with an assessment of costs for defenders, both political and financial.
Why do organisations fail so badly at threat detection? Despite chucking tons of cash at staff and magic next-gen ML products, detection teams rarely deliver reliable, high quality, tangible results. Where are we going so wrong?
This talk will step through key issues such as re-inventing the wheel syndrome, why information accumulation/sharing matters, the traditional SOC model and detection priorities, building/retaining awesome employees and an honest look at the state of detection tooling (and often underestimated deployment hurdles).
Although perhaps surprising, many issues actually have simple solutions which will be discussed through-out the talk. Technical examples will be used to quantify the challenges and how solutions can work in the real world, with lessons learnt coming straight from the experiences of the Company Y hunt team.
During a red team engagement we breached a web server that only allowed HTTP inbound and no outbound connections. While able to upload web shells, reverse shells were unable to establish a connection back to us and as all ports were firewalled, bind shells were not an option. Furthermore, the only existing tool we were aware of TUNNA proved to be too slow for practical exploitation.
In this talk we'll introduce ChunkyTuna, a web shell which allowed us to pivot through the compromised server and reach further into the target network. ChunkyTuna began as a reengineering of TUNNA which utilizes the "transfer-encoding: chunked" HTTP mechanism rather than a constant poll loop with request/response pairs. In effect ChunkyTuna piggybacks an existing HTTP connection to offer near direct access to either the STDIO streams of an arbitrary process or the IO streams of an arbitrary TCP port, in a manner similar to the streaming of a media file with unknown content-length.