Loading…

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Thursday, August 29
 

8:00am BST

Registration
Thursday August 29, 2019 8:00am - 8:45am BST
Exhibition Area

8:45am BST

Opening Remarks

Thursday August 29, 2019 8:45am - 9:00am BST
Track 1

8:45am BST

Opening Remarks

Thursday August 29, 2019 8:45am - 9:00am BST
Track 2

9:00am BST

From builder to breaker
A journey from Software Developer to Red Teamer. In under two years I went from a software developer with an interest in security to an active member of a Red Team at a FTSE 100 company. Along the way I've learned a huge amount about security, and picked up a few other things too. Here's how I did it and some of the fun things I’ve done since.

Speakers
avatar for Gavin Johnson-Lynn

Gavin Johnson-Lynn

Offensive Security Specialist, Sage
Gavin is an Offensive Security Specialist at a FTSE 100 company, where he works within a Red Team to help with security around the business. Originally a software developer he has a wealth of experience with web applications, focusing on the insurance and payments industries, with... Read More →


Thursday August 29, 2019 9:00am - 9:30am BST
Track 4 (Rookie)

9:00am BST

HTTP Desync Attacks: Smashing into the Cell Next Door
HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

Using these targets as case studies, I'll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I'll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise what's possibly your most trusted login page. 

This is an attack the web is thoroughly unprepared for. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left it optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I'll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends. 

I'll help you tackle this legacy by sharing a refined methodology and open source tooling for black-box detection, assessment and exploitation with minimal risk of collateral damage. These will be developed from core concepts, ensuring you leave equipped to devise your own desync techniques and tailor (or thwart) attacks against your target of choice.


Speakers
avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →


Thursday August 29, 2019 9:00am - 10:00am BST
Track 1

9:00am BST

Fe-fi-fo-FIM, I smell the monitoring of an elastic stack!
FIM is simple right? Everyone knows how to do FIM right? I'm gonna have to disagree!

This one's gonna be a simple one answering a few questions:
- How do we get FIM out there?
- How do we centralise those logs?
- What can we do with those logs?
- Ok, so where do we go from here?

I'm talking about the full shebang, we're cracking out ELK, Wazuh, and we're gonna have a peer into Apache Metron and what we can do with that! (Ooooooh... Aaaaaaaah...)

Everyone should be excited for this one ;)

Speakers
avatar for Brett Calderbank

Brett Calderbank

PROTECT Lead, The Hut Group
SecOps-y engineering guy mostly in the whole "blue team" side of things for nearly 4 years now!Currently I'm the head of security engineering over at The Hut Group doing loads of different work from SIEM stuff to DLP and everything else under the blue team sun!I've been trying to... Read More →


Thursday August 29, 2019 9:00am - 10:00am BST
Track 2

9:30am BST

Increasing Security: New Recruits
If you want to get your first job in cyber security, or you want to recruit good people for your entry-level security roles, I hope this talk will have something to offer you. I changed careers from a completely different sector, and I will explain what I did to get here, in study and social networking.
Recruiting career-changers is an excellent opportunity to get someone with a diverse range of experience for a beginner’s salary. If you are usually hesitant about recruiting people from (far) outside the sector, I hope to shed light on why we might be some of the best recruitment ‘buys’.
I have also been very happy in this position so far – I will explain exactly what my employers have done to help me settle in and what was important to me, coming in as an outsider. That said, it has also been hard! I hope to arm you with knowledge of what I found challenging so you can use it to anticipate your own needs in your new workplace, or those of your new intake.

Speakers
RS

Rachael Stos-Gale

Rachael is an analyst in the SOC of a well-known MSSP. Previously she has studied dead languages, worked in bars, retail, conveyancing, estate agency, and harassed teenagers about parts of speech and extended metaphors as a secondary school English teacher. Before joining the SOC... Read More →


Thursday August 29, 2019 9:30am - 10:00am BST
Track 4 (Rookie)

10:00am BST

Introduction to OWASP Juice shop
OWASP Juice Shop is an intentionally vulnerable Web app that can be used for general security awareness or teaching devs how to avoid common security pitfalls. It can be run in either a CTF mode or as an individual challenge.
This talk gives an overview of OWASP Juice Shop, what it is, how it works and what areas of the OWASP Top 10 it relates to. During the talk, we'll give demonstrations on how to solve several of the challenges and provide hints for some of the more in-depth challenges.

Speakers
TC

Tim Corless-Carter

Vulnerability Specialist
Tim has worked in infosec for the past seven years, firstly as an analyst and senior analyst covering all areas of infosec, then most recently as a Vulnerability Specialist. He's also a bit of an infosec cert junkie, having previously held CEH and currently holding OSCP and CISSP... Read More →


Thursday August 29, 2019 10:00am - 10:30am BST
Track 4 (Rookie)

10:00am BST

Quantum Computers and Cryptography
Quantum Cryptography has come along a great deal since scientific and mathematical interest in the field took off in the 90s. It has several consequences for classical cryptography and what will be considered the standard for secure communication in the near future. Successful trials that secure communication through the unique properties of quantum physics have already been undertaken. Progress in quantum technologies has been swift in the last decade; Quantum Key Distribution (QKD) systems have been tested by banks and governments, similar systems were deployed at the 2010 World Cup in South Africa. In 2017, researchers held a QKD-protected video conference between China and Austria using the quantum satellite Micius as a trusted relay, further strides and greater worldwide adoption is anticipated for the coming decade.
In this presentation we will begin by taking a broad look at quantum information and the ramifications it has on classical (current) cryptography. After which we shall be taking a dive into the interesting and counter intuitive world of quantum physics with regards to cryptography.
We will approach everything from an InfoSec perspective, discussing where testing methodologies will change, what remediation advice may be given to clients during the transitory period and how much of the theoretical possibilities achievable with quantum computers we are likely to see in practice in the near future.
The presentation will involve some light mathematics, but it is a presentation aimed at cyber security professionals and not physicists or mathematicians. As such, the level of physics and mathematics in the discussion will be presented in terms consumable by the layman.


Speakers
avatar for Imran Shaheem

Imran Shaheem

Imran Shaheem joined Cyberis Limited in early 2018 following the successful completion of an MSc in Theoretical Physics (Gravity, Particles and Fields) at the University of Nottingham. Prior to joining Cyberis, Imran participated in online bug bounty programs which led to private... Read More →


Thursday August 29, 2019 10:00am - 11:00am BST
Track 1

10:00am BST

Navigating the Red Forest
Successful cyber attacks often involve gaining administrative access to a domain within a short amount of time. This results in bad actors having remote access to an organisation’s highly confidential information, which could include client information, source code and intellectual property. Attacks like these can have a severe financial impact through incident response and the implementation of remediations taking many person hours, along with intangible damage to reputation.
To combat these types of attack Microsoft introduced the concept of ESA (Enhanced Security Administration), also known as the Red Forest, to allow administrators to administrate with enhanced security and protection. 
This talk is aimed at those considering the implementation of the Red Forest but have not yet had the time to investigate in detail. The architecture and logistics of building the RedForest will be covered, along with 
Privileged Access Workstations (PAWs), which are given to all administrators as part of the Red Forest build out.
Windows Administration experience is presumed; the talk will provide advice on the strengths that the Red Forest can offer to a company and how to get up and running quickly and effectively. Gotchas and blockers found during the build out phases will also be discussed to save attendees from hitting the same issues.


Speakers
avatar for Derek Price

Derek Price

Managing Security Consultant, NCC Group
Derek is a Managing Security Consultant at NCC Group with over 7 years of experience in cyber security. His expertise in penetration testing and consultancy spans most technologies, from Windows security to telephony, and he has worked with a variety of clients across all sectors... Read More →


Thursday August 29, 2019 10:00am - 11:00am BST
Track 2

10:00am BST

Hacking RF: Breaking what We Can’t See
An often overlooked aspect of security is what happens when information is moving magically from one device to another with no wires. We know this as (usually) Wifi or Bluetooth and any attacks are usually based on these technologies. However when you widen the scope to RF wireless communication, A lot more tools become available.

Speakers
GC

Grant Colgan

Grant has had years of experience working with radio communications and is currently working as a technical consultant within the cyber security space. His real passion however is radio and using radio communication techniques and tools to find and exploit vulnerabilities in common... Read More →


Thursday August 29, 2019 10:00am - 11:00am BST
Track 3

10:30am BST

Phishing Overboard
This talk will cover advanced techniques in phishing attacks and all the weird things miscreants do to evade detection and analysis, or exfiltrate stolen credentials. Some techniques include geo-blocking, DNS compromise, dynamic directory creation, and redirect techniques.

Speakers
EM

Elise Manna

Elise is Director of Threat Operations, specializing in threat response, hunting, intel, as well as phishing and malware analysis. She actively participates in the infosec community, including as a volunteer at conferences and ISAC committees.

Sponsors
avatar for Novacoast

Novacoast

Novacoast helps organizations find, perfect & create solutions for a powerful security posture through advisory, engineering, development & managed services. Above all, we are a resource engine. We find and foster fearlessness and ingenuity, supporting resources with comprehensive... Read More →


Thursday August 29, 2019 10:30am - 11:00am BST
Track 4 (Rookie)

11:00am BST

Coffee Break
Thursday August 29, 2019 11:00am - 11:30am BST
Exhibition Area

11:30am BST

Metadata piggybacking: A look into Open Graph Abuse
The Open Graph protocol was initially released in April 2010. It is a protocol that allows any webpage to become an object displayed to users. It is widely used by Social Media outlets with the aim of beautifying links sent between users. Whether this is a tweet on twitter or a private message on discord it appears that the majority of web applications where the sharing of resources can happen uses this protocol. Unfortunately, through a small issue in most Open Graph parsers a malicious actor has been able to forge the object created gaining the users trust and redirecting them to an alternative webpage which is not displayed by the Object.
In my talk I will outline the Open Graph technology and its benefits as well as describing how it can be abused. I will look at how social media outlets use the visibility of the URL to prevent Open Graph Spoofing but due to the caching of the Open Graph objects and the Parsers following redirects their URL visibility can be bypassed creating a more convincing object. I will explain the technical details with some examples of this technique and how it could be used maliciously to create convincing phishing campaigns.
Furthermore, I will continue to demonstrate some examples where this technique is being used in the wild to disguise webpages in an attempt to get users to visit these potentially malicious websites.
In conclusion it seems odd that given the current landscape where humans are the weakest link in any system, the general response to this issue across multiple different social media platforms is that they are aware of the issues but are not doing anything to fix them. I will address that this needs to be taken more seriously given the trust that these Open Graph objects create and also the implication for not only the site that is hosting the Open Graph object but also any other web application. Often the application where the Open Graph object is forged is not necessarily the target of an attack through this vector.

Speakers
CH

Charlie Hosier

I am a proud member of ENUSEC and often play Ctf for the Ctf team the cr0wn. I am the Cyber Security Masterclass 2018 winner and am a current member of Team UK. I am also soon to become a Junior Cyber Security Consultant at NCC Group.


Thursday August 29, 2019 11:30am - 12:00pm BST
Track 4 (Rookie)

11:30am BST

Getting Splunky with Lateral Movement - Attack, Detect and Evade
Following on from our talk at SteelCon 2019 (Getting Splunky with Kerberos) we’ve decided to extend the Attack, Detect, Evade concept to the topic of Lateral Movement.

Along with initial execution and laying of persistence, lateral movement is often one of the key points in a red team engagement that can lead to a detection by the blue team. In this talk we will demonstrate how attackers carry out lateral movement, dive into how they can be detected, before demonstrating how the red team can successfully evade these detections.

Whilst this talk will use Splunk as the data platform, these techniques can be used on any platform of your choosing.

Speakers
RB

Ross Bingham

Ross (@PwnDexter) - Red Teamer @ NettitudeRoss is a Senior Security Consultant working within Nettitude’s red team, the bulk of his time is spent delivering red team engagements, fighting EDR products, or reporting! Otherwise working on research, tool development and our detection... Read More →
TM

Tom MacDonald

Mac (@BaffledJimmy) - Red Teamer @ Nettitude:Mac is a Managing Principal Security Consultant at Nettitude, working on large internal infrastructure and red team engagements. He is never happier than when abusing sysadmin tools to compromise environments, as it reminds him of his younger... Read More →


Thursday August 29, 2019 11:30am - 12:30pm BST
Track 1

11:30am BST

a8n-retrospective/introspective : a minor exercise in ego...
I started my path into security back in 1993 with a job as a physical security guard. Since then, I’ve worked across a wide field of security jobs on both the offensive and defensive sides, for a diverse range of customers. I can’t predict the future, but i certainly have a lot of stories to tell when thinking back to the past. Highs and lows - wins and losses - joys and sorrows. Rather than deliver any deep technical knowledge, or drop a load of 0dayz, I’d like to take a step away from my normal presentation style and tell a few “war stories” from my life in this industry. The good, the bad, and the ugly. 

Speakers
SA

Steve “autom8on” Wilson

Cat Wrangler
I’m old and have done things. ;-) Former MoD blue team research scientist, turned red and offensive, leading ultimately to security nihilism. Red teamer, teacher and mentor, physical security but, and conference enthusiast. Tigerscheme assessor and long term CTL. Maker of horrifically... Read More →


Thursday August 29, 2019 11:30am - 12:30pm BST
Track 2

11:30am BST

osint + python: extracting information from tor network and darkweb
The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of  its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network.  Later, we will review main tools for discover hidden services in tor network with osint tools. Finally we will use python for extracting information from tor network with specific modules like stem https://stem.torproject.org/

These could be the main points of the talk:

- Introduction to Tor project and hidden services
- Discovering hidden services with osint tools
- Extracting information from tor network with python

Speakers
avatar for Jose Manuel Ortega Candel

Jose Manuel Ortega Candel

Software Engineer
https://www.packtpub.com/networking-and-servers/mastering-python-networking-and-security">I am Software Engineer and security researcher with focus on new technologies, open source, security and testing. My career target has been to specialize in Python and security testing projects... Read More →


Thursday August 29, 2019 11:30am - 12:30pm BST
Track 3

12:00pm BST

Malicious Behavior Detection using WMI
How do we know when trusted applications that are integral to the operating system are being used for evil?
How do determine is the behaviour is normal or has malicious intent?
Through this talk I will discuss the challenges around detecting the malicious use of native windows application or so called Living Off The Land binaries. 
I will explore Windows Management Instrumentation (WMI)  in depth, and show how it can be used to detect changes to various aspects of Windows.
Demonstrating how we can combine simple behavioural indicators of suspicious activity with aspects of WMI to create a framework for detecting malicious behaviour.

Speakers
avatar for Ben Lister

Ben Lister

Junior Security Consultant, Uni of Manchester & NCC Group
Recent graduate of Computer Science and Maths from University of Manchester. Long term intern and soon to be consultant at NCCGroup. Powershell Enthusiast with an interest in Windows Security.


Thursday August 29, 2019 12:00pm - 12:30pm BST
Track 4 (Rookie)

12:30pm BST

Lunch
Thursday August 29, 2019 12:30pm - 1:30pm BST
Exhibition Area

1:30pm BST

1 year on, It's not all about GDPR. An introduction to the NIS Directive; The Silent one...
This talk will provide a brief introduction to the NIS Directive, its scope and why it matters. 
We will also describe CGI's approach to implementing the Cyber Assessment Framework (CAF). The CAF is a systematic method developed by the NCSC that can be used to assess the extent to which an organisation is adequately managing cyber security risks in relation to Operators of Essential Services.

Speakers
RE

Romeo Embolo

Romeo is Security Consultant within the CGI Cyber Security Team, delivering highly successful security assignments, services and programmes to clients.Across the wider Information Security domain, Romeo has delivered security solutions to numerous financial services institutions... Read More →


Thursday August 29, 2019 1:30pm - 2:00pm BST
Track 4 (Rookie)

1:30pm BST

Exposing AWS with flAWS
As more web applications move to cloud hosting, the security landscape is changing. Whilst network & server level attacks should be mitigated (to some degree) in cloud environments, the complexity of these systems and the ease of which they can be used leads to a new scope for attacks on misunderstood, and thus, misconfigured cloud resources.

This talk will give examples of what to look for when securing or testing AWS setups, guided by flAWS, an online playground for exploiting vulnerabilities with AWS in a safe environment. The talk does not require knowledge of AWS, and the resource is free online for those who want to continue learning afterwards.

(note for organisers: I have permission from the writer of this resource to use it in a conference setting)

Speakers
avatar for Mike Lehan

Mike Lehan

CTO, StuRents Ltd
Mike has been working in web application development for 11 years, the last 4 of which as CTO of a tech startup. Mike's focus is on good development practices, leading to more reliable and more secure software. He also works with infrastructure, specialising in AWS. Focussing on every... Read More →



Thursday August 29, 2019 1:30pm - 2:00pm BST
Track 2

1:30pm BST

Threat Modelling and Black Swans - Predicting the unpredictable by thinking like an attacker
Threat modelling is a useful tool for improving the security of a system at design time and for developing effective test plans. Unfortunately, it's very common for threat models to concentrate heavily on technical attacks and what are traditionally accepted as common attack types, while avoiding social engineering, physical and other more unusual or less technical attacks. This often results in limited test coverage or a failure to anticipate the full range of threats.
This talk will explain a methodology for building threat models that combine typical technical threats with unexpected 'Black Swan' events, using real-world examples to illustrate the process.

Speakers
avatar for Nick Dunn

Nick Dunn

Nick Dunn is a secure software developer, turned penetration tester and an occasional developer of hacking tools and scripts. His work and interests include threat modelling, machine learning and secure software devlopment practices.He works for NCC Group, is the developer of VCG... Read More →


Thursday August 29, 2019 1:30pm - 2:00pm BST
Track 3

1:30pm BST

The perfect place for a backdoor (VM Hub 3.0)
Testing embedded devices are mostly fun, in some cases it is like being in the 90’s looking for bugs that should be extinct by now. The Virgin Media’s Hub 3.0 was not different than that at all. After a few hours actively trying to find a bug in the system, a remote command execution bug was found, but that was just the beginning of this story.

Over time, many other bugs were found and eventually a full chain of exploits was created which made it possible to control the device remotely with no user interaction and potentially take control over millions of these devices, installing backdoors in them in a way that would be extremely hard to find and investigate.

Speakers
BB

Balazs Bucsay

Balazs Bucsay (@xoreipeip) is a Managing Security Consultant at NCC Group in the United Kingdom who does research and penetration testing for various companies. He has presented at many conferences around the world including Honolulu, Atlanta, London, Oslo, Moscow, and Vienna on multiple... Read More →


Thursday August 29, 2019 1:30pm - 2:30pm BST
Track 1

1:30pm BST

Coding Burp Extensions
The Burp extender API lets you enhance the functionality of Burp to support new technologies, techniques and workflows. This workshop will introduce coding Burp extensions using Kotlin and cover some of the key interfaces that Burp exposes: HTTP listeners, custom scanner checks, session handling actions and GUI elements. The workshop includes some mini CTF exercises which can be solved by coding an extension.
Pre-requisites: Some coding experience, a laptop, IntelliJ, Burp (community or pro)

Speakers
avatar for Paul Johnston

Paul Johnston

Director, Online Outlaw
I'm an pen tester, security trainer and developer. I've worked with major banks, financial firms, utilities, engineering and more. Currently building a training company that teaches developers to code securely.


Thursday August 29, 2019 1:30pm - 3:30pm BST
Workshops

2:00pm BST

Nice vulnerability, I don't care
As Security professionals we are bombarded with data about what we do, from threat feeds & vulnerability reports to security alerts, logs and SIEM's not to mention worried users - there is no end of data if we want it. In most organisations staff outside of IT and security don't care about threats or vulnerabilities. Ask the board or a business manager and the want to know about risks and impacts. Ask most security and IT staff what their biggest risk is and they would be hard pressed to tell you.

The biggest risk is probably that they don't know what their biggest risk is.

My talk will define risk, explain what threats and vulnerabilities are in relation to risk and how this all can be applied and presented in a way that can be understood by non-technical staff who we need to be aware. Along the way we'll touch on

- the difference between risk, threat, vulnerability, impact and may other misused and overloaded words.
- The forgotten part of IT (Clue - its not all about technology)
- methods to quantify risk.
- how to use risk to identify the vulnerabilities you need to take action on and the the one you don't need to care (so much) about.
- how talking the business language of risk will achieve the desired effect some what better than any amount of detailed explanation of a specific vulnerability.

This is not breaking out of the InfoSec echo chamber but realising that by standing back from the detail (no matter how important) we may realise that the echo chamber is not some silo or ivory tower, in fact it probably doesn't exist at all. If there is an echo it's only because we repeat ourselves, if we have to repeat ourselves may be the problem is not that we are not being heard but that we are not saying the right things.

My target audience is the over loaded internal IT and Security staff who need tools to turn the tsunami of data on threats, vulnerabilities and risks in to actionable knowledge - its really InfoSec 101 but based on my years of experience good and bad.

Speakers
avatar for James Carter

James Carter

I have over 20 years experience in IT and Cyber Security and in my time I've done pretty much every job you can in IT except web design! I'm currently global cyber risk manager for a large multinational engineering company reporting directly to the CISO and I run a small team of vulnerability... Read More →


Thursday August 29, 2019 2:00pm - 2:30pm BST
Track 4 (Rookie)

2:00pm BST

Offensive Development: How to DevOps Your Red Team
During this talk we will explore how DevOps principles can be applied to red teaming, focusing on the implementation of a custom CI/CD pipeline to automatically consume, build and deploy existing and custom tooling to an environment in a manner agnostic to any command and control framework.
 
We will explain how this approach can not only significantly reduce indicators of compromise, but also introduce the capability to programmatically and automatically protect all your tools from DFIR.
 
Following the talk, we will release redpipe, a custom CI/CD pipeline developed by MDSec for use during red team engagements.
 
The future of red teaming is offensive development.

Speakers
DC

Dominic Chell

Director, MDSec
Dominic (@domchell) is a director at MDSec where he works within the ActiveBreach team and is responsible for conducting intelligence-led attack simulations under the CBEST, STAR and TIBER frameworks. Dominic is a published author and active researcher, frequently releasing tools... Read More →


Thursday August 29, 2019 2:00pm - 2:30pm BST
Track 2

2:00pm BST

Profiling The Attacker | Using Natural Language Processing To Predict Crime
What does Minority Report, Black Mirror, and 1984 all have in common?.. Well, let's find out  

On a day to day basis we countlessly write notes, send messages and respond to emails. The question is, however, what does what we write actually show about us, and how can we use the meaning behind these pieces of text to predict crimes and attacks. 

This talk delves into just this - how machine learning, and specifically natural language processing and sentiment analysis, can be used to predict crime and security attacks. This, of course, comes hand in hand with talking about predictive policing approaches, biases in predictive policing, and how natural language processing can be used to automate this whole process.

Speakers
avatar for James Stevenson

James Stevenson

Security Researcher
James Stevenson is a Software Engineer and Security Researcher, with a history of security operations. James is also an Alumni of the University of South Wales and these days he works as a Security Engineer at a large UK technology company, as well as speaking at security events across... Read More →


Thursday August 29, 2019 2:00pm - 2:30pm BST
Track 3

2:30pm BST

Making a Subset difference: The Crypto in AACS
When I wanted to understand how AACS works I found very little information/explanation. The Subset-Difference tree and how it provides efficient revocation in a broadcast encryption scenario was particularly opaque.

This talk aims to demystify the crypto in AACS, explaining how we can revoke a device's ability to decode media without relying on co-operation from the device.

Speakers
avatar for Rael Sasiak-Rushby

Rael Sasiak-Rushby

I code 9-5, and sometimes more than that. I believe Security helps you learn by challenging assumptions, and Mathematics is beautiful logic; Cryptography is the glorious child of the two.



Thursday August 29, 2019 2:30pm - 3:00pm BST
Track 4 (Rookie)

2:30pm BST

Protecting Kids Online: Are We Doing Enough
In recent years with the rise of smart devices, kids almost have an expectation of having an online profile regardless of age restrictions. Not understanding the risk themselves and most parents being unaware of the dangers of constant online access, should mobile providers and social media platforms do more to inform the parent and protect the child.

Speakers
KC

Katie Colgan

Katie works in the Application Security area who has a passion for cyber security. Having started her career learning the dynamic side of web application security testing, she has recently moved into code review and started applying her vulnerability knowledge to white box testing... Read More →


Thursday August 29, 2019 2:30pm - 3:30pm BST
Track 1

2:30pm BST

What colour is your hat?
Ethical hacking, ethical living - how to devise your own moral code and live by it whatever you are doing.

Speakers
avatar for Megan Robertson

Megan Robertson

Aston University
Botanist turned computer programmer, then webhead, then teacher and now academic. Chartered Fellow of the British Computer Society. Teaches computer ethics at Aston University.


Thursday August 29, 2019 2:30pm - 3:30pm BST
Track 2

2:30pm BST

S-a-a-a-S – Security as an actual service
Security teams are regularly branded with the unfortunate moniker of ‘the department of no’; seen as the place where innovation went to curl up and die. Individuals or teams with meticulously cultivated plans feel halted in their tracks because “ugh…security policy”, so either stop innovating, or, more often than not, just merrily bypass the security team altogether and find another way to do what they wanted in the first place. Shadow IT is no-one’s friend in the end, and there are no prizes for guessing who gets the blame when something goes wrong? Blame is of little use after the event, and likely the real culprit is inadequate inter-departmental partnerships. When it comes to developing ideas and proposals a lack of collaboration means the security aspect of planning is missed or at best delayed. No-one enjoys being brought in at the last minute, and then having to brandish the ‘no’ stick. 

Partnering properly means bringing the right teams in from the start ensuring that the security needs of the organisation are built into the very core of an idea, not as an afterthought. It’s the very premise of DevSecOps/SecDevOps/DevOpsSec - whatever the kids are calling it these days - but one that can go further. It’s not just applications that require this type of collaboration - it is just as central to all types of innovation - essentially the DevSecOps of ideas.  

What you’ll learn from this session:

- How SaaaS will benefit you, your team, and your organisation
- Ideas for promoting SaaaS within your organisation
- Carrot vs the “No” stick – proactive tips to get ahead of requests
- How to measure SaaaS success

Speakers
avatar for Samantha Humphries

Samantha Humphries

Exabeam
Samantha has 20 years of experience in info-sec, and has held multiple positions including: Senior Product Manager, Global Threat Response Manager, and Incident Response Manager. She’s helped hundreds of organisations of all shapes, sizes, and geographies recover and learn from... Read More →


Thursday August 29, 2019 2:30pm - 3:30pm BST
Track 3

3:00pm BST

Do I need to change the OSS in my product? Making informed decisions.
Open Source software runs the world - some estimates say upwards of 90% of lines of code in products come from Open Sources. While this has been a huge advantage, OSS comes with a different security debt and risk model, compared to tradition software development. Everyday, project leaders are making at hoc, instinctual decisions about their projects, because they do not have the tools to be more accurate.

In this talk I will discuss the various factors that contribute to the amount of security risk introduced by third party OSS, and discuss the factors that should go into making an informed decision about whether to keep or replace OSS in your codebase. These include past performance, the development team, release cycle, code complexity and so on. Other, real world factors that come into play are dev team experience, alternatives, the proportion of the code used and patching possibilities.      

Providing these quantifiable factors will allow better decisions to be made by all, and for the overall security debt to be better understood, and better managed.

Speakers
AB

Alex Burrage

Currently a Security Incident Response Engineer at BlackBerry, with experience in secure software development across a variety of products and environments, I have worked on the front line of developing and maintaining products that rely on Open Source Software, and seen the fall... Read More →


Thursday August 29, 2019 3:00pm - 3:30pm BST
Track 4 (Rookie)

3:30pm BST

Break
Thursday August 29, 2019 3:30pm - 3:45pm BST
Exhibition Area

3:45pm BST

Crash, Burn, Report
With the launch of the Reporting API any browser that visits your site can automatically detect and alert you to a whole heap of problems with your application. DNS not resolving? Serving an invalid certificate? Got a redirect loop, using a soon to be deprecated API or any one of countless other problems, they can all be detected and reported with no user action, no agents, no code to deploy. You have one of the most extensive and powerful monitoring platforms in existence at your disposal, millions of browsers. Let's look at how to use them.
In this talk we'll look at how to configure the browser to send you reports when things go wrong. These are brand new capabilities the likes of which we've haven't seen before and they're already supported in the world's most popular browser, Google Chrome. We'll look at how to receive reports and how to make use of them after having the browser do the hard work.

Speakers
avatar for Scott Helme

Scott Helme

Founder, Report URI Ltd.
Hacker, researcher, builder of things. Founded securityheaders.com and report-uri.com, Pluralsight author, BBC hacker in residence, award winning entrepreneur. Find me at scotthelme.co.uk


Thursday August 29, 2019 3:45pm - 4:45pm BST
Track 1

3:45pm BST

I like big bots
The internet isn't fair, bots and automated threats make up the majority of web traffic and while they are not all bad they do pose a wide range of risks to businesses web apps. The talk is a tour of the bot eco-system and how bots are posing threats many aren't even aware of, from underground cheese markets to buying a single left shoe there is a weird world of bots to explore. We will also touch on how your friends and family might already be part of a botnet and not even realise it.

Speakers
JM

James Maude

James is a security researcher with a background in forensic computing , he has previously presented research on a wide range of topics from Elevation of Privilege on Windows to the Ashley Madison breach. Currently he is Head of Threat Research at Netacea, a bot management vendor... Read More →


Thursday August 29, 2019 3:45pm - 4:45pm BST
Track 2

3:45pm BST

Rage Against The FUD
Rage Against The FUD
FUD you, I won’t do what you tell me.
In this talk, we reveal some of the worst examples of organisations delivering fear, uncertainty and doubt (FUD), why it's a terrible move and how to avoid it as a responsible organisation.
Be it CrowdStrike claiming APT28 will pwn your network inside two hours, to allegations of Huawei backdooring all your data back to Beijing, we'll lay down the facts and give you the information to make your own judgements.
We'll tackle the press, excitable researchers and even nation states.
As ever, there'll be music and fun, but the underlying messages will be serious in nature.

Speakers

Thursday August 29, 2019 3:45pm - 4:45pm BST
Track 3

3:45pm BST

BadUSB
In the past couple of years, USB devices have become more and more common, USB storage, keyboards, mice, wireless networks even USB cup warmers, but as we plug more and more into our personal and work devices, where is the line crossed and by how much?

You’ll start off by learning what a badUSB is, how an attack can be carried out and what attacks are available. From there, you’ll develop and create attacks that when used in real-life can cause mayhem, depending on the payload and the effect you - as the attacker - want it to have.

This activity is aimed towards beginners, but anyone who is interested is welcome!

*What you’ll need to bring*
  • A laptop with windows or linux as the primary OS (sorry Mac users!), 
  • Virtual Machine with Windows 7/10, Ubuntu and a Kali installed for the attacks to be tested on.

Speakers
avatar for Tia C

Tia C

Ethical Hacking Student, Abertay University
Tia is an Ethical Hacking student from Abertay University going into her second year and has a strong interest in malicious hardware and software development, social engineering, OSINT and also enjoys teaching people about the joys of infosec. @Tiaaa_C


Thursday August 29, 2019 3:45pm - 5:45pm BST
Workshops

4:45pm BST

Fun with Frida!
Frida is widely used for mobile assessments, but hardly anyone 
seems to use it with Windows. This talk will look at ways we can use 
Frida to instrument Windows applications. We'll look at what tooling is 
available, ways we can deploy payloads and some of the obstacles we need 
to overcome before we can use Frida in Red Team engagements. An infosec 
talk wouldn't be complete without a demo, so we'll see how we can use 
these techniques to capture passwords from a password manager and look 
at how you can approach finding your own uses for Frida in your engagements.

Speakers
avatar for James Williams

James Williams

MDSec
James is a security consultant at MDSec, researcher and occasional bounty hunter.


Thursday August 29, 2019 4:45pm - 5:45pm BST
Track 1

4:45pm BST

Losing Battles but Winning Wars
The talk is based around the collective negative experiences of Nettitude's Red Team and how through these losses the team has become stronger, more successful and ultimately "winning" by improving the blue teams they are up against. The talk will describe some of the failures in OPSEC, difficulties in accessing/compromising objectives and how these losses have led to the development of new tools and techniques as well as creating an environment where adversity on an engagement is merely an opportunity to become better as a team.

Speakers
PL

Phil Lynch

Name: Phil Lynch (@plynch98) I am a Managing Principal Security Consultant Working at Nettitude where my role is co-managing the Pentesting Team and also responsible for managing Netttiude's Red Team Engagements. I am retired Royal Air Force and have over 25 years experience within... Read More →


Thursday August 29, 2019 4:45pm - 5:45pm BST
Track 2

5:45pm BST

Closing Remarks

Thursday August 29, 2019 5:45pm - 6:00pm BST
Exhibition Area

5:45pm BST

Closing Remarks

Thursday August 29, 2019 5:45pm - 6:00pm BST
Track 1

5:45pm BST

Closing Remarks

Thursday August 29, 2019 5:45pm - 6:00pm BST
Track 2
 


Twitter Feed