Security BSides London, the UK’s biggest community-driven infosec conference is happy to announce its 8th iteration open to all regardless of background, skill level, income or job-title.
Doors to the main event open at 8.30am with talks starting at 9am on 5 June 2019
Workshops will be held on 4 June 2018 starting at 10am; Pre-registration is required
Please remember that Security BSides London has astrict code of conduct available here.
Knowing how to extract resources from a packet capture can be an invaluable foundation for understanding how data is transmitted over the internet, but extracting a large number of resources and recreating them manually is not feasible. The talk will demonstrate how to recreate a singular file from a packet capture and also how NetworkMiner will make light work of extracting resources in bulk.
The Emotet Trojan is the most widespread malware family in the wild. It has been, and is still, the most notorious and costly malware since its appearance more than five years ago. Emotet owes its reputation to its constant state of evolution and change. The malware's rapid advancement helps support its highly sophisticated operation. In this presentation, I'll walk attendees through my investigation of the Emotet family and reverse engineering of its components.
In this talk, I'll discuss the capabilities and features of Emotet: a detailed overview of its multilayered operation, starting with the spam lure, the malicious attachments (and their evolution); and the malware executable itself, from its highly sophisticated packer, to its C&C communications.
Emotet is well-known for its modular architecture, worm-like propagation, and highly skilled persistence techniques. The recent versions spread rapidly using multiple methods. Besides its capability to spread by brute forcing using its own password lists, it can harvest all the emails from victims, then spread through spam. Its diverse module list hides different malicious intentions, such as information stealing including credentials from browser or email client, spreading capabilities, or delivering other malware as well as ransomware or other banking Trojans.
Finally, I will dissect the background operation of the payload modules. I’ll also present statistics from Sophos about its global reach.
My talk is about using security tools setup by an organisation against itself. Specifically vulnerability scanners and NAC solutions.
Generally organisations will scan host on a network without think about the consequences of doing this. Often security solutions will blindly attempt to authenticate to a host during the scanning process which can be abused by an attacker to capture credentials used by the the tool to authenticate to large number of host within the enterprise.
The talk will include information on general misconfigurations in these solutions and demos of how to exploit them. There will also be a remediation section at the end.
There are often debates around usernames and how they should be assumed public knowledge, leading to issues surrounding the disclosure of usernames being classified as a low or information risk. What are the risks of exposing a username? Should username recycling like passwords be classed as a genuine risk?
This talk will walk through the risks associated to having a shared unique username across multiple services, the importance of usernames in OSINT.
Simon has been in the industry for over 10 years, previously working in networking and then as a penetration testing. He now works as Principal Security Engineer at Digital Shadows, focusing on anything related to offensive security such as internal red teaming, research, exploit... Read More →
Wednesday June 5, 2019 11:45 - 12:00 BST
Rookie TrackILEC Conference Centre 47 Lillie Road London SW6 1UD
While we focus on nation states' and corporation's role in steadily eroding our privacy and expanding omnipresent surveillance, an entire niche industry that caters to regular consumers who want similar spying capabilities has slipped largely under the radar.
This talk will present analysis of the stalkerware industry and it's products from a technical and non-technical standpoint, based on months of personal research
An overview of mobile stalkerware, specifically on the Android platform. I will discuss the marketing and legality of the software alongside providing an overview of its technical capeabilities.
In my talk I would like to introduce my first self-coded security tool. It’s a command line program that wraps around the Shodan API.
I started working in security industry in the summer of 2018. I had no technical background when I started and as you can imagine I’ve learned a lot since then, including some programming. At the end of 2018 I started to learn my first programming language: Python. After I learned some of the basics, I started to work on my first program that I can use for work. As my programming skills have evolved working on the program, the program itself has evolved as a result, gaining more and more functions and features.
I would like to introduce my program and some of the functions that I developed, while explaining the journey that I took.
Bug Bounties have this WD40 aura that they are **the** solution to an organisation's external security; however, there is a sweet science beyond publishing a scope. By the end of this talk (hopefully) you'll be able to answer: Do more eyes necessarily mean the better? What are the intricacies to project-specific and non-project-specific hunters? And most quizzically what does the city of St Petersburg have to do with Bug Bounties?
Bespoke networks and bespoke systems, especially air-gaped systems, aren't subject to the same threat vectors as classic systems. I've come up with a way to conduct an assessment of the security of proprietary systems which aren't connected to the internet.
This talk will be a brief summary of my Dissertation regarding the use of General Purpose Graphical Processing Units (GPGPU) for file carving.
Current open source tools for file carving are disappointingly slow (Scientifically proven) and there is plenty of methods that can be used to improve it. I will ensure to introduce this topic in a manner that caters to all level of skill in the subject area; followed by a disucssion of the improvements that have simply not been applied to this neiche use case and my attempts to introduce them.
The Keymaker - a tool for creating access tokens for Service Providers using stolen ADFS signing certificate and a private key. Although the idea and methodology been around for a while there is limited previous work related to obtaining certificates and keys and signing requests with them.
Organizations are increasingly moving into the cloud. If we can obtain ADFS signing keys we can sign our own requests to Service Providers and get unrestricted access to the services. In case of Amazon Web Services, we even can assign ourselves any role in the request. This also gives us persistence as we don’t need to be on the network if we want to access emails, SharePoint, etc.
The Keymaker is a Python server which will run locally on our machine. Instead of making a request to Identity Provider, The Keymaker will capture the forwarded request and sign it without any interaction from the Identity Provider.
I will briefly go through what ADFS is, what processes are involved in getting access tokens and why we are interested in them. I will show example of access tokens and show a small demo of the tool with couple of notes on possible mitigation.
Max specialises in Red Teaming and Pen Testing at KPMG. He is involved in security research of recent breaches, vulnerabilities and exploits. In his free time he likes participating in CTFs and coding challenges.
Wednesday June 5, 2019 15:05 - 15:20 BST
Rookie TrackILEC Conference Centre 47 Lillie Road London SW6 1UD
When dealing with security incidents, hackers tend to wipe their digital footprints to avoid being detected. Normally, they wanted to wipe event logs, so it would be hard for incident responders / forensicators to detect what exactly they did on the compromised machine. As a security professionals working in investigation like this, what would you do once the event logs got wiped? That's why windows artifacts are there to help us investigate and conduct forensics to know what happened before and after compromising the windows machine. On this talk, I'm going to show you the importance of windows artifacts such as prefetch files, registry keys, link files, browser artifacts, shell bags,etc. I will also show you the tools that I've been using in order to get the best out of it during forensics investigation. This lesson is very important specially to those people working in SOC environment, incident responders, and digital forensics investigators.
Renzon is a young security professional who works as a Senior Security Analyst and part of National Cyber Security Operations Center (NCSOC) in Doha, Qatar that performs threat hunting, incident response and digital forensics. Prior to that, he was a security consultant with the largest... Read More →
Wednesday June 5, 2019 15:25 - 15:40 BST
Rookie TrackILEC Conference Centre 47 Lillie Road London SW6 1UD
We keep seeing the same old mistakes and the same old issues. Isn't the definition of madness doing the same thing over and over expecting a different result? We need to change the approach, remove the elitism and make Infosec available to all.
FRIDA is a bad girl who can do nasty things - not only she is a hooker but also an expert at manipulating and eavesdropping. In other words, FRIDA is a superb customizable dynamic instrumentation toolkit which can attach to processes and inject code, even detach without crashing them. It can be used for reverse engineering, hooking, monitoring function calls and can also be used as a special malware analysis tool. This talk will tap into these cases a bit further and gives a glance at the capabilities of FRIDA and the possibilities it offers.
Barna (@cyb3rsk) is an enthusiastic cybersecurity engineer, wannabe hacker and infosec noob. Technical Innovation Advisor @ MRG-Effitas and ex-student of the best university IT security research group in Hungary.
Wednesday June 5, 2019 16:05 - 16:20 BST
Rookie TrackILEC Conference Centre 47 Lillie Road London SW6 1UD
In this talk I will go through buzzwords commonly used by security vendors, explain what they mean from a data science perspective and give advice on how to treat them with a healthy dose of scepticism. Think "Artificial Intelligence", "Data Driven" and "Advanced Analysis". These terms can all describe important approaches that are used in security data science, but they tend to be used too freely, potentially with the aim of blinding security teams with science and avoiding giving too much away. After this talk the audience will walk away with an arsenal to decode these buzzwords and the knowledge to ask pertinent question to vendors to discover what their products are *really* doing under the hood.
A talk on the vulnerabilities and attacks that can be carried out using other devices such as a Raspberry Pi and USB-OTG accessories to infect rooted Android devices, such as inserting malicious files, including exploring the consequences of rooted devices. I am going to explore the possibility of rooting a device programatically using a Raspberry Pi and documenting any issues encountered when doing this. One use case being the new types of charging ports. Not all charging points require plugs, but merely a USB port where you plug in your cable using the USB connector... what if this wasn't just a port to charge your phone, but had a Pi behind it? I would also like to look at the past vulnerabilities associated with other OS's like IOS
Most of security efforts are based on mitigation, detection and forensics, but little is done to prevent an attack from an application point of view. This talk will explain what can be done to to prevent an attack against an application and why automation is your best friend
Since I was a child, I had the weird ability to break anything that I touched, so finally I have found a way of making good use of my skills as an application security engineer.Twitter: @_JaviDR_
Wednesday June 5, 2019 17:05 - 17:20 BST
Rookie TrackILEC Conference Centre 47 Lillie Road London SW6 1UD
