Voting closes at midnight on 13th of April, 2017! Please ensure you have voted by then.
There are 37 talks on offer and we recommend you take the time to read through the abstracts. At the bottom of the page is the form to vote with. Please score at least 10 of the talks to your preference. Please score the talks you would like to see from 1 to 10 (10 being the highest).
In order to vote you need to provide your email address and your ticket number or hotel booking reference. We recognise that a large number of you are looking to pick tickets up on the door so ticket number is not compulsory to vote - but we do ask that only those planning on attend actually vote.
If you want to go straight to the voting form click here which will open in a new tab.
We've seen in 2016 the datapocalypse of 3rd party data breaches, with conservative estimates reaching around 1.5-3 billion peoples information being leaked or dumped on the Internet. Yet these numbers somehow mask the very real impact of these breaches. Many companies and organisations after been exposed have been exposed, without ever really noticing. In 2016, 100% of the FTSE 100 has their email domain in 3rd party data-breaches. This talk does look at what has happened, but more importantly it looks as the journey I took to build a data-dump search-engine.
Like many things in life, it's easier said than done. Why should you be concerned? Because this is passive OSNIT, than can reveal so much about a company/organisation without an attacker ever touching Google or their site. What is your current exposure to dumps and leaks online?
When using anonymous networks like Tor or I2P, one problem is always how to prevent spam/DoS attacks when you cannot distinguish one entity from another, and hence cannot limit them without either compromising their anonymity by requiring registration of some kind, or requiring captcha-like challenges which are time consuming to implement and usually only a temporary solution at best.
Here I introduce a new kind of authentication system based on homomorphic properties of elliptic curve cryptography and zero knowledge proofs called ""Linkable Ring Signatures"". It allows one to add their public key to a larger group of existing public keys, called a ""ring"", and sign using the entire ""ring"" of keys + private key in such a way that no one can tell which private key has signed the message, but can mathematically verify that it was one private key corresponding to one of the public keys in the ring. On top of that, it allows a verifier that only has access to the public keys in the ring to make sure that for any one [message, ring] pair, a private key has only signed it once - duplicate signatures for the same message are detectable.
This allows for limiting interactions from any party holding one of these access keys (to say, one message per minute per key), without the party losing any anonymity as their signature is indistinguishable from any other party in the ring.
Furthermore, because ring signatures use a cryptographic component called ""zero knowledge proofs"", signing reveals zero information about the private key - hence no matter how many signatures are generated, it is impossible to use them to try to forge messages or fingerprint/bruteforce the signer key. The proof of this will be shown in the talk.
In this talk I will walk through the cryptographic primitives that make this possible, and show a demo service on Tor/I2P that implements this scheme to make an anti-spam anonymous forum.
The level of difficulty of this talk is 4 and I consider it is suitable for Pentesters, Hackers and so on, Techie or general geek
This talk has not been presented at other conferences and it can be filmed and released.
Blockchains offer users the ability to securely transfer money without a trusted party or intermediary. The transparency of transactions enables public verifiability, at a cost to user privacy. Although on-chain addresses are unlinked from off-chain identities, the flow of funds is traceable. Ring signatures allow a message to be signed that verifies with respect to a group of public keys, rather than a specific key like general digital signatures. We can use this property to unlink sender and recipient pairs in blockchain transactions, giving participants anonymity with respect to an anonymity set!
We construct a scheme that is compatible with the Ethereum platform, which has a Turing-complete virtual machine woven in with its blockchain. The scheme unlinks sender and recipient address pairs, and payee addresses are indistinguishable from random to even the payer of the transaction in question.
In late 2016 a TR-064 (LAN-side CPE management) misconfiguration in a wide range of CPE devices was disclosed that allowed for remote device takeover. Within days, botnets began exploiting a related command injection issue, leading to widespread internet outages for customers of certain ISP's in the UK and abroad. This talk will explore the impacts of these issues, along with taking a look at some other, related vulnerabilities related to TR-069 (WAN-side CPE management) protocol implementations that could allow for remote takeover of routers en-masse.
In this talk, David will give you an overview of the Riot Games Application Security program. The talk will focus on the tech and social aspects of the program and why David feels both are important when it comes to writing secure code. Specifically David will talk about how we define Application Security at Riot, how we’ve grown to meet the demands of our fast paced engineering organisation, why we’ve hired software engineers into our team and the tools we’ve developed to help Rioters globally build fun and safe experiences for our players.
David will also explain why he’s been working with a behavioural scientist from our Insights team to help level up security at Riot. Software will never be free security vulnerabilities so this talk will also explain why Riot runs a bug bounty program and how that’s changed our Application Security program.
We all know that smoking is bad for your health, but what about you or your organisations security? I'll show you that an eCig isn't just a glorified smoke machine but a low power, battery operated, exploitation platform. I'll show you how easy it is to decrypt the firmware, write your own functionality and use this to pwn some systems. Turning your eCig into everything from a keyboard to a USB stick.
On the way we'll do a bit of reverse engineering, write a bit of code and show how you can do most of this on a shoe string budget. Looking for ways to defend against attacks like this? I have some options.
Consider this talk if you want another reason to ban smoking at your organisation.
On November 24, 2014, Guardians of Peace" (GOP) released confidential data from the film studio Sony Pictures. North Korea were blamed, my talk will very briefly look at what happened, (the openings section, what happened will be very brief because it's quite common knowledge that they got hacked) the talk will then quickly move on into technically how it was achieved, this is not so commonly known, especially showing demos of how each stage could have been achieved. The demo and how it was achieved is what I personally found interesting during researching this. What concludes is how closely the attack mirrored a typical external social engineering / internal penetration test.
The talk will not in any way disrespect any parties but it will remove the hype, revealing what in reality was a crude and simple attack that could have easily been performed by a single person and not what people would expect from a nation state attack. The talk will be backed up with stats, and examples from personal experiences from external/internal social engineering, infrastructure and application testing. It will include demos, showing how an attack achieved by the GOP would be simple to replicate due to commonly overlooked security hardening measures.
During the talk there will also be a section on what can go wrong, before and after gaining access to an internal network, and then how to get round this, and how to protect. Then if time permitting the talk will then conclude by revealing an alarming way to achieve such an attack that has not been considered or discussed before. Areas that will be covered are:
Offensive and Defensive Technologies and Techniques. Owning the Enterprise, Infrastructure, external and internals. Cybercrime.
A tongue-in-cheek discussion of what we can do if we assume that the most common software stacks in the world are broken fundamentally. SSL/TLS is riddled with holes from the protocol down to the implementations; PHP has had an interesting track record when it comes to vulnerabilities, and the closed source world isn't much better. How do we survive?!
DNZ RPZ has had a bad reputation in the past and can be perceived as meddling with a core internet protocol, however it is an effective layer of defence against malware, botnets and phishing. I'll talk through the challenges of defending a large and diverse network and how you can deploy DNS RPZ to help stop many common threats facing unmanaged endpoints.
Have you ever watched a film where the actor attaches a 'hacking device' to something, and after a few seconds (and some flashing lights) the thing magically unlocks? Did you think to yourself 'that's totally unrealistic!'? Well now it's real life! Building on the previous credential stealing attack by Mubix, Trevor and Jon have created 'Pi-Key', a £20 device built on the Raspberry Pi Zero which steals credentials from Windows machines, cracks them and then unlocks the machine, all in under 60 seconds*.
This talk explains the tool we've built and how it works, why we chose the final components we did and finally the success rate we've had. All instructions and code will be available after the talk so you can build your own!
In the ever changing security landscape we are slowly seeing a shift from labelling hackers per default as 'bad and malicious individuals', to accepting them more often as 'useful and potentially friendly’. We see more and more companies starting a bug bounty program and/or a Responsible Disclosure (Coordinated Vulnerability Disclosure) program. We in the Netherlands are (at least in Europe) leading the pack on this last subject, backed heavily by the Dutch NCSC, the Dutch government and the Dutch prosecution services, with their Responsible Disclosure guideline.
In this interactive and mostly humorous talk I’ll start with defining security (in a grotesque way), followed by the ‘real’ definition of hackers, the way hackers think and work, and how they can be used instead of feared by companies. I’ll show how bug bounties and the Responsible Disclosure processes can work, but also how they sometimes do not. I will take the audience with me along the path to these fails, and discuss the way we can –or could have- improve(d) these processes. I might even please you with some nice IOT drama. My final ‘calculation’ will try to open the door to a safer online world! (from a hacker’s point of view that is.) ;) During the talk I interact a lot with the audience, do humorous quiz questions about the subject, and reward good answers with a bottle!
The approach to discussing, rationalising and accomplishing attribution outside of the Intelligence Community is inherently flawed. It is a one dimensional discussion, that results in a false dilemma around the origins of an ‘attack’. Most security researchers, whether they care to admit it or not, are attributing based on tribal knowledge, inherited from previous IC engagements. What I aim to put forward is a more effective, and structured way to articulate and formally frame what the currently level of attribution is for a given group.
Unpacking the current one dimensional approach, challenge the necessity to ‘fully attribute’ and create a mechanism that can enable network defenders to effectively communicate with their peers and seniors what the threats are, who they might be and how they have reached that conclusion. Maintaining state on how we have truly reached the current level of attribution for a group, establishing rigour and accountability around the complex process of attribution are the aims of this talk.
Thinking and discussing the future of IT and IT systems ten years in the future is a daunting task and it’s easy to plunge into a dystopian vision. From the Matrix to Westworld and Mr. Robot, Hollywood thinks we are in for a rough future. Join Ian Trump, Global Cyber Security Strategist, SolarWinds for a proactive timeline of future events. Nation state conflicts, hacktivist insurgency and prolific cyber-crime will force key future developments – these developments will have profound societal implications.
Will the hopeful technology of today such as AI, the Internet of Things and the emergence of direct brain to network connections be the saviour of the network? Will the attack surface of the future be the human brains and AI systems which are permanently attached to the network? Is a brighter future possible once we endure the forecast of hard times ahead? The network we have today will be the foundation of the network of the next ten years – maybe we can get it right this time?
Hot on the heels of the success of containerisation technologies such as Docker, container clustering and orchestration solutions like Kubernetes have become all the rage with adoption from a variety of sectors including large corporations and government departments. With any new tech. stack there are inevitable questions about what security concerns there might be and how they can be addressed. This talk will introduce container clustering and talk about some of the vulnerabilities that need to be addressed when deploying and managing these solutions
When establishing a testing lab H D Moore tried setting up many machines connected through KVMs, he sensibly gave up and ran everything as virtual machines instead.
I tried harder.
I’ve been geeking and working from home in the same space for over a decade, and for various reasons I’ve persevered with my KVM setup, gradually adding more and more devices and functionality. In that time I’ve learnt a lot about what does and doesn’t work, what to use and what to avoid, as well as how to manage your productivity and attention. In this talk I’ll give you a ten year head start on how to rebuild or change your current environment. Alternatively this is a talk about feature creep.
( This presentation will be an updated and upgraded version of the presentation given to DC4420 in 2016 )
Russian-speaking hackers represent arguably the largest cyber threat to businesses worldwide. This talk will get beyond the hype surrounding Russian cyber threats that has built up following the recent US election cycle. The goal is to provide a simple and clear overview of Russian-speaking cyber crime and profile of Russian based threats.
Remote code execution on a Harvard device where program and data memory are separate can be difficult. Common techniques often involve entering the device bootloader to gain write access to the program memory or implementing purely ROP based applications. The existence of a bootloader that can write to program memory cannot be guaranteed and an attacker may not wish to reboot the device or have a persistent capability. Alternatively complex functionality is tricky to implement with ROP chains which also require reworking when new functionality is required. Here we present a minimal virtual machine that can be built from a single ROP chain of simple gadgets that can execute arbitrary code from data memory rather than program memory on a target device.
This simplifies development remote code execution exploits against a device by moving the executed code from complex ROP chains to data as a sequence of operands for RISC like load and store instructions. The virtual machine demonstrated here is an AVR based implementation of the Movfuscator virtual machine by Chris Domas. Due to architectural differences between AVR and x86 such as direct memory mapped registers, memory limitations, and the mix of 8-bit registers with 16-bit addressable memory we introduce a number of novel techniques to bypass or leverage these differences. All source code for the demonstration and building your own VMs will be made available on GitHub.
Lights, camera, action… just three words can conjure up images, build anticipation, and set the scene.
But what do the words information security, IT security, hacking, or
Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.
The HIDIOT is an open source platform for generic HID emulation and a tool to teach basic electronics, microcontroller programming and hardware hacking skills. Because it's completely open source, it has the unique advantage of being possible to understand at the component level. The HIDIOT is geared mostly for parents and children, with some interesting edge cases for security people. In this talk I'll demo some interesting things you can do, from security edge cases, to cheeky ways of interacting with the Internet through to downright microcontroller abuse, all carried out with a blatant disregard for microcontroller specifications, human safety and the laws of physics.
When users and clients ask for 'secure communications' they often get excited about shinny new equipment that makes them feel like spies but how do we keep them excited about cyber security and secure communications? In this talk I will walk you through looking at how to build a secure culture, things to consider when implementing secure communications, and finally stories of when others have failed and the consequences of this.
Breaches are happening. It’s headline news. This is not new, but in the age of big data, machine learning, security analytics and threat intelligence, why don't we have secure infrastructure? You see the buzzwords every day, but will conscious (or subconscious) focus on these areas result in improved security posture and fewer incidents? In this talk we consider the reality of today’s threats, looking past the sensationalist media coverage. There are many ways in which attackers and their toolsets have evolved, and the subtlest of features can easily defeat many defences. Automation and velocity of the offensive team are now the key pain points. We seek to realise how the combination of simple best practice and well-selected technology can thwart many attacks; if selecting technology is straightforward. Spoiler, it isn't. We discuss the technology selection process, the pitfalls to avoid, and the reality behind the hyperbole of cybersecurity technology.
If you place best of breed security technology everywhere in your infrastructure, and have ticked off all your cybersecurity buzzwords, you now have secure infrastructure, right? We discuss why automated defence, alongside open and integrable technology, are the key cornerstones to fighting today’s adversaries, in terms of both efficacy and operational cost.
The top 1M websites on the net according to Alexa, how secure are they? In 2016 I tested 1k sites at random from Google top 10 results and found that 44% of them were vulnerable to some kind of injection attack, 40% to XSS, 23% had session bypass issues, 28% broken access control and 58% had some type of known vulnerability. To see how accurate this data was, I tested Alexa's top 1M domains, I also conducted smaller tests into the top 50k domains, 50k domains in the middle of the data set and 50k domains found near the end of the data set.
The talk will cover vulnerabilities found, examples of those vulnerabilities and ways to fix them plus how vulnerabilities correlate to Alexa rank, my responsible disclosure experience, methods used to test 1M sites and the odd meme or two. I will also release and demo some of the scripts built for the research, including xs2pwn which automatically crawls sites, finds XSS entry points and detects vulnerabilities with no user interaction.
Risk Model Security doesn't work. Let's talk about Threat Model Security.
Can you believe that Android apps are now the second most common malware type on Virus Total? That Android has over 1.5 billion active users? Ever wondered how to analyze so many Android apps in order to protect such an enormous number of customers? The good news is that with more apps and more users, there's more "big data related to the age of apps, their reputation, their certificates, package names, permission lists, services, intents, receivers, and more. Active users can also provide useful information about the Android ecosystem: data such as app sources, device models, firmware versions, geolocation, time of installation and uninstallation of apps, and security status of the device (rooted or not) can all be turned into threat intelligence, without requiring users to give up much, if anything, in the way of privacy.
This talk shows how to build an evidence-based knowledge system out of this sort of privacy-preserving data, and how to use it to pick out undesirable apps such as spyware, ransomware, rootkits and other Android threats proactively. Come and learn how to build an advanced Android Threat Intelligence system that can deliver timely and accurate technical information to pick off new cyberthreats as soon as they appear
What happens when attackers deploy open-source malware looking at open command and control servers to find attackers toolkits. The problems when Red Teams copy attackers malware and the opportunities this all gives to defenders
Manually authoring ROP chains can be an arduous and time-consuming task. An ecosystem of tools focused on assisting a ROP chain author has emerged to tackle this problem, however many of them focus on building specific commonly-used ROP chains (e.g. execve, mprotect.) But what happens when you need to execute code whose structure and purpose deviates even slightly from these common cases? In order to address the more general (and more challenging) problem of automatically authoring an arbitrary ROP chain, we present our technique - dubbed RASCAL - which allows an exploit developer to do exactly that, changing their design space from one that is limited by their available gadgets and time, to one which is limited only by the capabilities of their target platform.
We present a proof-of-concept tool implementing our approach, and demonstrate its application to an example target. Finally, we present a number of other beneficial side-effects observed to be granted by the technique, including characteristics that will assist in bypassing signature-based detection strategies, along with antiforensic properties for frustrating researchers and analysts.
It is time we shared our failures, not just those rare exciting security breaches. By looking at some interesting real examples of things that turned out not be incidents, we will explore the value of documenting and sharing these, and the useful lessons that these can still teach us. This talk introduces protective monitoring and the sort of investigations carried out by Security Operations Centres and the technical skills required to properly assess alarms. The observations from the investigations covered range from analysis tips to technical ideas to cultural considerations, and are of much wider use than just to SOCs. Most importantly, this is a fun talk about sharing things that are frustrating, so others don't have to experience the pain too.
A less technical version was given at EMFCamp 2016, and a preview of the updated talk was given at Hack@Brookes in March.
The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it's valid, potentially years. We need a way to revoke the trust in these certificates so that they can't be abused but all current revocation mechanisms are largely useless. Let's look at the new mechanisms being introduced to address the problem of certificate revocation on the web.
This talk looks at how the cyber world is investigated by security practitioners and academics alike, highlighting the importance of interdisciplinary approaches and relevance of social psychology with in the research. This presentation aims to draw attention to the need for investigating how group processes and social identity within online hacking communities affect the members at individual and group levels. Sections will cover definitions of hacking, the influence social identity and group processes, and decision making within these groups. Whilst many enjoy hacking as a pastime, there are those who have a continued conflation between hackers and cybercriminals - a damaging and misleading inaccuracy. Perpetuated by media and various government or legal agencies, combined with the lack of insight into online communities, this is a categorisation error which risks alienating a capable and engaged community. Hacking communities have been shown to use their skills and knowledge for various reasons, not just to become cybercriminals.
This talk will bring together key concepts and arguments with regard to the hackers, the community, their role in the cyber world, and potential areas of investigation for the future. It is only relatively recently that the importance of psychology has been acknowledged when investigating the cyber world; there is a strong possibility that the positive role of online communities has been overlooked.
We present a new WiFi-based IMSI catcher which operates by exploiting flaws in the way authentication protocols have been deployed in most of the world's smartphones. Being WiFi-based means that the attacks have the potential to be much easier to take advantage than traditional 2-4G based IMSI catchers. We explain how users may be tracked when using smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques. Finally, we present guidelines for vendors, cellular network operators, and users to mitigate the privacy issues that arise.
Most people in information security have a tendency to lean heavily toward the technical side of decision making, yet our adversaries are relying more than ever on tricking humans, not technology into doing their bidding. The focus of this presentation is to evaluate the ways IT and information security programs interact with users (the customer) and to present a more collaborative approach to working toward securing sensitive data. Users will always introduce risk that cannot be eliminated, but working effectively with people can accomplish more than risk mitigation. Users have their fingers on the pulse of your organization and can become a critical component in the detection phase of security risk management.
While humans will always introduce errors, they are also incredibly skilled at spotting what computers can't. Whether you wish to call it "spidey-sense or simply intuition, harnessing that ability can turn your staff into a network of remote sensors reporting in on things your tools simply can't see.
In this talk, I will look at ethics in relation to cyber security. Cyber security professionals are often in an exceptionally trusted position, entrusted with the most valued, most confidential, most sensitive secrets of organisations and individuals. The distinctions between grey, white and black hat hacking are well known, as is the fact that these distinctions are often blurred. On a regular basis, cyber security professionals will have to make ethical decisions, often with only their own judgement to guide them. Yet, as an industry, how much do we study or debate ethical dilemmas? This talk will cover what ethics are, how people develop an ethical compass and what ethics mean in the context of technology, security and privacy. I will focus on ethics in relation to cyber security, why it matters and the extent to which we have a defined ethical code, or whether there is a need for us to formulate and communicate our ethics as an industry.
Cyber security has come back a long way in the past 10 years. What we have today is an alphabet soup of jargons and abbreviations and an industry known more for vapourware and shelfware as opposed to successful implementations. In spite of investment in cyber security growing exponentially each year, the number of organizations getting pwned is growing exponentially as well. Have we as an industry learnt from our mistakes and attempted to figure out why our existing approaches haven't been quite as effective? In this talk, I advocate a simple back to basics approach. Instead of throwing more technology at the problem, can we take a step back and identify what are those basic processes that an organization must get right to raise the bar for attackers? The end goal is to develop security design principles and solutions which can be adapted and implemented by a range of mid to small size organizations.
In security, sharing is caring, but it can also be scary and hard. How do you tell the public there is a problem with your technology or service without causing panic, hurting your reputation and customer trust, adversely impacting your business’ bottom line? How do you reassure panicking users that may or may not be affected by the latest high profile breach or vulnerability? If you work in information security, technology development, or IT operations, the unfortunate reality is that at some point, you will likely have to deal with a situation like this. How you communicate through the process can greatly influence the outcomes, and may determine just how stressful the experience ends up being. Handle it well, and you can build your personal credibility, that of your employer, and earn your customers’ trust. Handle it poorly and you’re likely looking at a media maelstrom, and potentially lawsuits or government involvement.
There are many aspects to getting the communication right – this is not just about handling media, as it is often perceived. It starts with your core stakeholders – those involved in the incident response, execs, and other key players inside your organization. In and of itself, identifying those people and communicating with them effectively is tough, particularly if many are people you don’t often work closely with. Then you have to consider broader internal communications so you can adequately prepare your organization’s frontline, and then there is the broader community. Media, regulators, and other third party institutions can certainly have a HUGE impact, but they are just one set of stakeholders that need to be considered and with whom you need to communicate.
While most security professionals will partner with marketing/communications professionals and/or a legal team on any crisis communications, the likelihood is that they will need to provide a certain amount of guidance to help the team navigate the situation and achieve the right outcome. There are a lot of moving parts and the situation changes in real-time – it’s important to stay focused on the core elements that make up productive crisis communications:
This talk will share some recent experience on building a security culture programme in the midst of change. It'll share some successes, some failures and some take aways.
Container technology has been around in various shapes or forms for sometime; however, the recent arrival of Warden/Garden, Docker and others who provide a lightweight option to virtualization has put the "container" buzzword on top of most DevOps' tool kits. As usual, what has been overlooked is security and potential issues that can come about as a result. This presentation takes a closer look at a few of the more commonly used container technologies today, namely Docker and Warden/Garden, and the associated potential security issues.
Please click here (opens in a new tab) to vote
You can change your vote at any time during the voting period by resubmitting the form, only your latest votes at time of closing will be counted. If you encounter any issues during the voting process please contact cfp at securitybsides.org.uk detailing the issue and we will assist you.