We are still arguing over some of the submissions but here are the talks that have been accepted so far.
Breaking Into Information Security – Understanding & Helping – Andy Gill
I published a book last year talking about how to break into the security sphere, however I still get asked how to do it, all the additional details that are left out etc. This talk looks to outline what it really takes to get into the industry, how to survive your first gig, things to look out for and general advice for individuals looking to get into this great industry. I’d also be keen to share how I made it into the industry and give back the lessons I’ve learned over time, passing on knowledge is key!
Can’t hack, love to lurk: Sharing academic research – Helen Thackray
For the past 2.5 years I have been studying hacking communities as my PhD research, looking at the social psychology, how being part of a group effects individuals, and the concept of the hacker identity – what makes someone a hacker? From 4chan to DefCon, surveys and interviews, I’m reaching the end of my research, and I’d like to share what I’ve learnt with the community that has helped me so much.
Cloud Security Suite – One stop tool for AWS & GCP Security Audit – Jayesh Chauhan
Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern.
While AWS and GCP provides you protection with traditional security methodologies and has a neat structure for authorization/configuration, it’s security is as robust as the person in-charge of creating/assigning these configuration policies. As we all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.
Few vulnerable scenarios:
- Your security groups, password policy or IAM policies are not configured properly
- S3 buckets are world-readable
- Web servers supporting vulnerable ssl ciphers
- Ports exposed to public with vulnerable services running on them
- If root credentials are used
- Logging or MFA is disabled
And many more such scenarios…
Knowing all this, audit of cloud infrastructure becomes a hectic task ! There are few open source tools which helps in cloud auditing but none of them have an exhaustive checklist. Also, collecting, setting up all the tools and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.
CS Suite is a one stop tool for auditing the security posture of the AWS & GCP infrastructure and does OS audits as well. CS Suite leverages current open source tools capabilities and has custom checks added into one tool to rule them all.
The major features include:
- Simple installation with support of python virtual environment and docker containers
- GCP Audit
- Initiate all tools/audit checks in one go
- AWS Infra Audit:
- Easify your “open source setup” pain.
- Compilation of all audit checks in one place
- Centralized portable reports
- Audits individual systems
- AWS Instance Audit
- IP based auditing
- Region independent Audit (Public IP)
- Supports both public and private IPs for Default region
- Automatic Report Generation and Fetching
- Portable HTML report
- JSON output
- Integration of AWS Trusted Advisor
COM and the PowerThIEf – Robert Maslen
During some of our Red Team engagements we quite often find that Internet Explorer is being used as the business browser of choice. We have also found that quite a lot of intranet sites and internal line of business applications mandate it’s usage. Consequently a lot of targets we need to access during engagements either have their credentials inputted into or have session cookies stored within an Internet Explorer session.
In order to gain access we have used keylogged, dumped memory, screenshotted and used other techniques to recover what we need but generally it all has been very manual and not of these tools/methods really align with the red team method workflow. So after performing some Windows archaeology we were pointed to one of IE’s lesser known Super Powers, the ability to be automated (essentially remote controlled) from another process via COM.
In this talk here we will present a PowerShell post exploitation module called Invoke-PowerThIEf which provides you the Red Teamer with ability the dump all the current URLs being browsed (background tabs too), invoke script in tab of your choice, log users of out of web applications, edit the DOM, persistently hook any login forms grabbing you any creds that are typed or copied (yep Password Managers looking at you) all from the comfort of another process. There might even be some other surprise functions…
Compliance, how create insecurity thinking to do security – Julie Gommes
How standards are affecting InfoSec?
Over the last few years, one of the key security problems has been compliance, which can unfortunately let malware infect a system. Securing a scope means a lot more than taking a repository and aligning with compliance requirements. A mistake, however, that is getting more and more common.
Dashboards are today very badly used, it is easy to perceive it in organizational audit or in CISO support mission.
Be “compliant”, protecting the company from financial losses by providing results to insurers and not protecting the company from attacks is the new way to do security.
This conference allows to see the standard from another angle, that of the security that was to prevail.
EternalBlue: Exploit Analysis and Beyond – Emma McCall
In early 2017, a large selection of exploits, code and operational documents (reportedly from a US Gov’t org) were released to the wider internet. This exploit dump kick-started my own deeper journey into Malware and Exploit analysis.
Join us for a technical analysis of EternalBlue – one of the more powerful exploits in the release – and hear the story of the havoc it caused around the world throughout the year.
Even in the face of complex malware or nation state exploits, we can develop our security skills and push ourselves to learn more. To that end we will break down the process that was used to analyse EternalBlue; a process which can be reused to assess almost any malware or exploit in future.
Exploiting Screen Recording and Automated Input on Android – Amar Menezes
Is it possible for an android application to surreptitiously record a user’s screen and/or automate user input? If so, how do attackers exploit it and how do application developers defend against such attacks?
This talk explores the functionality exposed by the Android Open Source Project (AOSP) framework that could be exploited to achieve screen recording or automated input on a stock, non-rooted android device. It then examines the defences placed by AOSP developers to prevent the abuse of this functionality. Finally a couple of vulnerabilities I’ve identified in the AOSP framework are discussed and demonstrated that circumvent these defences and allow an android application to record the user’s screen and/or automated input.
Fixing Revocation: How We Failed and How We’ll succeed – Mark Goodwin
Almost everyone that uses the web for anything they consider important and yet certificate revocation, a fundamental building block of the secure web, has been broken for as long as HTTPS has been around. This is a brief history of the problem – and how we’re fixing it.
GDPR for Hackers – Carl Gottlieb
Tighter privacy laws are great, right? But what do they mean for the more technical amongst us?
In this session Carl will discuss what the GDPR actually means for breaches and technical security, the awesome power of responsible disclosure, whether OSINT is now illegal, how the GDPR helps perform identity theft on a vast scale and whether WHOIS is now dead for security researchers. This presentation will be a bit different, with a limited number of seats in a small room and an intimate Q&A all the way through. If you’ve got a few nagging questions around GDPR, come along to this session and get involved in the conversation.
Hacking SCADA – How We Lost a Company £1.6M with only 4 Lines of Code – Matt Carr and Mike Godfrey
Hacking SCADA, or more commonly ICS, is serious business, unlike other areas of offensive security one mistake can cost lives. Mike and Matt will present their ICS research, walk through caveats, protocols and show some demos. We will also show how you can start researching industrial systems safely and cover what you need to know to not get someone killed. We will also share the story and method behind how we cost a company £1.6M in lost earnings with only 4 lines of code. We will not be showing exploit code as we believe given what’s at stake, it’s highly irresponsible, what we will do is give responsible researchers the knowledge they need to get involved and start helping to secure critical infrastructure.
How I break into casino, airports and CNI. The basics of Social Engineering – Chris Pritchard
This talk will be about the basics of social engineering into a client’s site/office. I think most SE talks focus on the more technical “human” aspects and I’m purposefully ignoring that side as I think the audience can often get scared by thinking they have to learn every facial micro expression to get into a client’s site successfully. So, I’m going to focus on the basics, how to perform reconnaissance, how to match dress styles, how to make up a pretext that fits your knowledge, how to get real staff to help you, what to do if you do get in, why you should interact with staff, why you should practice being observant, and why you should leave people feeling better for having meet you (Chris Hadnagy taught me this).
I Wrote my Own Ransomware; did not make 1 iota of a Bitcoin – Thomas Fischer
2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conduct last year, I wanted to understand why such a drive and lure for ransomware outside of the victims will pay as well as have some way of properly testing “anti-ransomware” solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.
L is for Luser – Scott Storey
It’s well known that everyone in IT hates end users and that security loathe them. They click obvious phishing links, they install dodgy software and they send your entire customer database to their personal email addresses.
In short, they are stupid and its all their fault for doing it wrong.
That was my opinion for a long time as well and I want to show you why they aren’t just stupid and how it might be you failing them.
In this talk I’ll go through my journey of luser hating tech support to people loving security guy.
15 + for occasional and inevitable swearing.
Not a hacker, yet. – Chris Ratcliff
I am a security professional. I spend my days talking about security, I travel to events, and I have an unhealthy amount of stress balls and T shirts. I read NIST reports, point at magic quadrant charts and review CVE mitigation plans.
But I’m not a hacker. I attend cons and marvel at the wizardry of others to monitor, change and break cool stuff. I read the work others publish to find and exploit vulnerabilities. I don’t even have the skills to quit Emacs without Googling.
So I decided to change that. These are my first steps from noob-dom towards becoming a hacker, with soldering iron in one hand, a python book in the other, and plenty of enthusiasm.
Profiling the attacker – James Stevenson
- Building an information classification for your assets
- Attack significance plotting
- Attack factor comparison analysis
- Discerning motive
- Attacker kill chain analysis
- Malicious actor profile checklist
- Naming conventions for malicious actors
The Arcane Arts of Linux – Alastair O’Neill
A journey through some techniques developed for Linux pentests, with a focus on red-teaming and living off the land.
The Dark Arts – Neil Lines
This presentation will demo hacks that I think are cool, it will unearth commonly over looked configurations, which once exploited can result in a complete compromise of a chosen target. Both external and internal exploitation including demos on chaining vulnerabilities will be discussed.
The presentation will start with what I describe as a nuclear level exploit, after this I wont be holding back, exploit after exploit will be presented.
The aim is to make this easy and fun to watch, and I hope it will be of interest to all areas of security not just pentesters.
What does it take to steal $81m? – Donato Capitella and Oliver Simonnet
Media attention after 2016 Bangladesh Central Bank heist shone a light on SWIFT payment systems attacks and recent Shadow Broker leaks indicate that similar operations might’ve been carried out by nation state actors, albeit with a wholly different motive to stealing money.
In this presentation MWR will share its own experience and lessons learnt from assessing the security of SWIFT-related payment systems, including specific insights from the work that was carried out in the last two years together with major financial institutions. This will be integrated and compared with an analysis of what is publicly known about major SWIFT breaches.
- SWIFT 101 (What are the components of a typical SWIFT deployment? How to create SWIFT messages? What’s the attack surface?)
- Analysis of some notorious SWIFT attacks (How were they accomplished? What do they have in common? How much was stolen?)
- As an industry, are we ready to defend SWIFT and other payment systems? (What’s working, what do we need to do better? Once SWIFT is harder to compromise, where will attackers go next?)”
What I’ve Learned From Billions of Security Reports Every Month – Scott Helme
Running one of the largest security reporting platforms of its kind, we handle billions of security reports for our customers every single month. With our bird’s-eye view of such a diverse ecosystem we’ve helped identify malware in a multinational organisation, had a malicious browser plugin taken down and much more. Come and learn how we’re helping grow adoption of modern security standards and how we’re helping protect the wider community.
You’ve Got Mail! – Dan Caban and Muks Hirani
Each year we see advancements in adversary tools, techniques, and procedures but consistency in the targeting of email infrastructure. An organizations email server is an excellent location for privilege escalation, maintaining presence, or data theft. This talk will use case studies from intrusions by advanced persistent threats to highlight the following areas where email infrastructure was a significant part of the attack lifecycle:
- Initial compromise via email: how social engineering and trust from the supply chain can be used to increase the likelihood of a successful foothold.
- Bypassing two factor authentication (2FA) to access email: case studies of using email to access 2FA tokens, and other advanced methodologies to access email behind 2FA.
- Planting persistent backdoors that attack and intercept mail in email clients on compromised endpoints: examples of email client-based backdoors used by Turla and other suspected Iranian threat groups,
- Compromising Microsoft Exchange servers with a variety of tools ranging from public webshells to custom IIS modules and handlers.
- Abusing the legitimate features of Microsoft Exchange Control Panel (ECP), including ECP eDiscovery features and leveraging the rich PowerShell toolset provided to legitimate administrators.
This talk is especially relevant to red teamers, as it will show how forensic investigators are detecting and responding to tradecraft overlap between authorized testing and targeted intrusions.”