Security BSides London 2019

Getting started with InfoSec can be tricky, especially (If like me) you find experiential learning (Learning though experience/hands-on-learning) to be the best way to really grasp concepts you read/are told about. Unfortunately no matter how you phrase "I was just trying to learn..." when you're caught using NASA systems as your testing ground, you're still going to get an unpleasant first hand experience of the US judicial system. Thankfully there are "playgrounds" out there where we can practice and learn, although at first they can seem a little intimidating. This workshop will centre around 2 "playgrounds", 'overthewire.org' and 'hackthebox.eu'. Starting off with some personally selected challenges from overthewire, we'll discuss the vulnerabilities along with some background and theory before solving the challenge as a group. With each challenge solved participants should gain the knowledge required to be able to take on the entry challenge to be able to sign up for hackthebox. Once each participant has successfully been able to register with hackthebox, we'll look at 1 or 2 of their 'retired' machines as a group, going from having nothing more than the IP of a machine, to then getting administrator level access on that machine. The workshop will finish with participants splitting into groups and attempting one of the 'active' machines on hackthebox.

What you need to bring:
- A laptop with administrator access, capable of running a Linux VM.

The purpose of this workshop is to provide the knowledge and skills to get over the initial learning hump to enable and encourage further learning about networking, including securing networks. These techniques can be used on home and production networks.
This workshop is aimed at SysAdmins, students and anyone interested in learning more about networking; after all, networks are the only element that is present in every IT environment globally, regardless of location, size, software used and industry.
In this workshop, attendees will learn:
1. How to create a free, vendor neutral, network lab environment without the need of any other hardware other then a laptop.
2. A working understanding of the OSI model, what each layer does and the considerations for design, security and monitoring should be taken for each of them.
3. Techniques and the theory behind network defences to reduce the effect of security events, increase their ability to detect issues and protect against common attack methods, such as reconnaissance and lateral movement.
4. A basic understanding to use tools such a Scapy to craft packets and Wireshark to be able to test their network security measures are effective.

What you need to bring:
A laptop running Windows and have admin rights, with at least 4Gb RAMM (ideally 8GB) and 25Gb of storage, a PDF reader application and a Spreadsheet application (just a reader will suffice) are also recommended.
The applications used in the workshop are:
VMware Workstation, GNS3, Wireshark, Kali Linux and Scapy

Welcome address from the crew

This talk will show the digital and analog systems of the power grid and follow the rail of electricity from its place of production all the way to your tea kettle. This talk is different in that there are no bullet points only photos.

This talk will look at how to determine what security and privacy risks are worth accepting and the security benefits and downfalls of accepting and making payments using everything from PayPass/PayWave, EMV (Chip), Venmo, AliPay to ApplePay, Google Pay and PayPal. While the security and ease of use of payment tech has improved dramatically in the last 20 years, this talk won't explore every option. Specifically I will leave the costs and benefits of using cash and cryptocurrencies up to the viewers own imagination.

Coffee Break

Thousands of organizations have already adopted the idea of inviting good-faith hacking to hack into their systems via vulnerability disclosure, bug bounty and next-gen pen test programs. Even so, the risk of prosecution under anti-hacking laws still casts a cloud over the hackers who are trying to help, and many programs haven't removed this risk by including Safe Harbor language within their program policies. It's not intentional -- the simple truth is that the market has progressed so rapidly that most have implemented crowdsourced security programs without realizing this issue, nor do they know how to how to fix it. Bilateral Safe Harbor language enables program owners to not only provide a strong incentive for good-faith hackers in terms of explicit legal protection, but also to outline exactly what constitutes "good-faith" hacking for their organization, and leave legal protections against malicious hackers intact.

This talk provides an overview of Safe Harbor in the context of good-faith hacking and introduces a current effort to create a standardized, open-source, easily readable legal boilerplate for disclosure program owners all around the world to use.

What is Safe Harbor and key takeaways from CFAA/DMCA?
Why we need a open source vulnerability standardized disclosure
What is disclose.io?
How can companies participate?
How can security researchers participate?
How can legal community participate?

Understanding the symptoms of stress, anxiety and depression and knowing the mechanics of our mind and brain can help us deal with difficult situations. Stress, anxiety and depression are on the rising in society, not only in adult population but in children and adolescents. Life in the modern world is fast and stressful. We feel the pressure to perform at work, in our private life, family life and finances and the quality of our lives decreases leaving us unfulfilled and anxious about our future. Our relationships with ourselves, the world and others are damaged by lack of time indefinite number of tasks and duties which need doing in a 24 hours period that is never enough thus stress leads to anxiety and depression.

Lunch

All too often, an organisation’s choice of cloud provider is made at a senior management level, without considering security features of the different services. To help make an informed decision, we’ll attempt to answer this question at Security BSides:

• Who provides the best security features – AWS or Azure?

Drawing on experience of cloud migration projects in each environment, core AWS services and their Azure equivalents will be demonstrated, describing the security features in each case:

• AWS Identity and Access Management vs Azure Active Directory

• AWS S3 vs Azure Storage

• AWS Key Management Service vs Azure Key Vault

• AWS Security Groups vs Azure Network Security Groups

• AWS Security Hub vs Azure Security Center

In this presentation, we will look at how to maximise your security awareness programme and improve incident response by developing a security champions programme. A security champions programme is a network of people within an organisation who are not cybersecurity professionals but work as a security representative, functioning in much the same way as health and safety officers. This can be a great way of scaling up your awareness-raising, improving two-way communications between the infosec team and the rest of the organisation, enhancing security without needing a big budget and improving the likelihood of an employee reporting an incident. But, building and maintaining a champions programme from scratch can feel daunting. It's also very important to align a champions programme with your company culture, which means you need to understand your current culture, how long culture-change can take and what elements of culture will be impacted by a champions programme. That’s where we come in! In this talk, Kevin Millwood and Jessica Barker will use their real-world experience of champion programmes to outline:



· Why a champions programme can be such a good idea for cybersecurity
· Steps you can take to establish a champions programme from scratch
· Why cybersecurity culture matters, including defining what we mean by "cybersecurity culture"
· How you can get busy people to become security champions when it is not part of their day job (and they won’t get paid for it)
· Ways to monitor the effectiveness of your champions programme
· What some of the pitfalls of a champions programme are, and how to avoid them


If you’re interested in the human side of cybersecurity and you want to make people the strongest link in your security, this is the talk for you.

Darknet markets come and go for various reasons. Over the last several years we've seen law enforcement take down several of the largest darknet markets to ever exist on the dark web. In a story that involves multi-national cooperation, death and deception, this talk will look at the fascinating story behind Operation Bayonet and the seizure and subsequent takedown of AlphaBay and Hansa. It will also cover the subsequent closure, in April 2019, of the leading darknet market, Dream.

Magecart is an umbrella term given to at least a dozen cybercriminal groups that are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. In a few short months, Magecart has gone from relative obscurity to dominating international headlines and ascending to the top of the e-commerce industry's public enemy list.

Responsible for recent high-profile UK breaches of British Airways, Sotheby’s, Cancer Research UK and Vision Express UK in which its operatives intercepted thousands of consumer credit card records, Magecart is only now becoming a household name. However, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years.

In this session we'll cover the evolution of the groups from 2014/2015 to the present day, detailing their the current tactics and techniques used to compromise website JavaScripts.

The SecDevOps-Cuse/CyberRange aims to be an open-source offensive/defensive security project providing aspiring & experienced cyber security professionals a bootstrap framework. It serves to automate the creation of a private training lab in AWS. This talk reviews the project’s underlying technology components, identifies the dependencies, then outlines both use-cases & learning opportunities. The ultimate goal is to introduce a safe environment where security professionals work to expand their vulnerability management, cloud computing, & offensive security knowledge.

Welcome address from the crew