Breaking Into Information Security – Understanding & Helping – Andy Gill
I published a book last year talking about how to break into the security sphere, however I still get asked how to do it, all the additional details that are left out etc. This talk looks to outline what it really takes to get into the industry, how to survive your first gig, things to look out for and general advice for individuals looking to get into this great industry. I’d also be keen to share how I made it into the industry and give back the lessons I’ve learned over time, passing on knowledge is key!
I’m Andy, I work as tester of Pens(Bic Certified!), I haven’t submitted a talk to Steelcon but felt 2018 was the year to submit talks to conferences! I wrote a book and write a blog that aims to help people better transition into security and… I’m Ginger, Woody feel sorry for me! 😉
Can’t hack, love to lurk: Sharing academic research – Helen Thackray
For the past 2.5 years I have been studying hacking communities as my PhD research, looking at the social psychology, how being part of a group effects individuals, and the concept of the hacker identity – what makes someone a hacker? From 4chan to DefCon, surveys and interviews, I’m reaching the end of my research, and I’d like to share what I’ve learnt with the community that has helped me so much.
PhD student writing up thesis on social psychology and social identity within hacking communities.
COM and the PowerThIEf – Robert Maslen
During some of our Red Team engagements we quite often find that Internet Explorer is being used as the business browser of choice. We have also found that quite a lot of intranet sites and internal line of business applications mandate it’s usage. Consequently a lot of targets we need to access during engagements either have their credentials inputted into or have session cookies stored within an Internet Explorer session.
In order to gain access we have used keylogged, dumped memory, screenshotted and used other techniques to recover what we need but generally it all has been very manual and not of these tools/methods really align with the red team method workflow. So after performing some Windows archaeology we were pointed to one of IE’s lesser known Super Powers, the ability to be automated (essentially remote controlled) from another process via COM.
In this talk here we will present a PowerShell post exploitation module called Invoke-PowerThIEf which provides you the Red Teamer with ability the dump all the current URLs being browsed (background tabs too), invoke script in tab of your choice, log users of out of web applications, edit the DOM, persistently hook any login forms grabbing you any creds that are typed or copied (yep Password Managers looking at you) all from the comfort of another process. There might even be some other surprise functions…
Rob Maslen is a Principal Security Consultant at Nettitude and proud member of the DerbyCon CTF winning team SpicyWeasel. Before switching to InfoSec Rob had previously worked as developer since 1999 where he gained an interest in Windows Internals and solving problems with C# (having previously been involved in creating them with C++ J). His days are spent either Red Teaming or developing tools, some recent releases include SharpSocks and Port/Arp Scanners for PoshC2. Passionate advocate for the world’s greatest tool LinqPad and anything Sysinternals.
EternalBlue: Exploit Analysis and Beyond – Emma McCall
In early 2017, a large selection of exploits, code and operational documents (reportedly from a US Gov’t org) were released to the wider internet. This exploit dump kick-started my own deeper journey into Malware and Exploit analysis.
Join us for a technical analysis of EternalBlue – one of the more powerful exploits in the release – and hear the story of the havoc it caused around the world throughout the year.
Even in the face of complex malware or nation state exploits, we can develop our security skills and push ourselves to learn more. To that end we will break down the process that was used to analyse EternalBlue; a process which can be reused to assess almost any malware or exploit in future.
As a Security Analyst at Riot Games, Emma is responsible for hunting, mitigating and analyzing threats targeting the games industry. She is also active in the security community, avidly following the release of new malware and exploits. Emma has recently produced in-depth analyses of well known examples such as EternalBlue and WannaCry.
Exploiting Screen Recording and Automated Input on Android – Amar Menezes
Is it possible for an android application to surreptitiously record a user’s screen and/or automate user input? If so, how do attackers exploit it and how do application developers defend against such attacks?
This talk explores the functionality exposed by the Android Open Source Project (AOSP) framework that could be exploited to achieve screen recording or automated input on a stock, non-rooted android device. It then examines the defences placed by AOSP developers to prevent the abuse of this functionality. Finally a couple of vulnerabilities I’ve identified in the AOSP framework are discussed and demonstrated that circumvent these defences and allow an android application to record the user’s screen and/or automated input.
Amar Menezes is a Mobile Security Consultant at MWR and a developer on project Drozer. His interests include Android and iOS vulnerability research.
Fixing Revocation: How We Failed and How We’ll succeed – Mark Goodwin
Almost everyone that uses the web for anything they consider important and yet certificate revocation, a fundamental building block of the secure web, has been broken for as long as HTTPS has been around. This is a brief history of the problem – and how we’re fixing it.
I build web security technology for Mozilla and robots for fun.
GDPR for Hackers – Carl Gottlieb
Tighter privacy laws are great, right? But what do they mean for the more technical amongst us?
In this session Carl will discuss what the GDPR actually means for breaches and technical security, the awesome power of responsible disclosure, whether OSINT is now illegal, how the GDPR helps perform identity theft on a vast scale and whether WHOIS is now dead for security researchers. This presentation will be a bit different, with a limited number of seats in a small room and an intimate Q&A all the way through. If you’ve got a few nagging questions around GDPR, come along to this session and get involved in the conversation.
Really exciting charismatic GDPR guy.
Hacking SCADA – How We Lost a Company £1.6M with only 4 Lines of Code – Matt Carr and Mike Godfrey
Hacking SCADA, or more commonly ICS, is serious business, unlike other areas of offensive security one mistake can cost lives. Mike and Matt will present their ICS research, walk through caveats, protocols and show some demos. We will also show how you can start researching industrial systems safely and cover what you need to know to not get someone killed. We will also share the story and method behind how we cost a company £1.6M in lost earnings with only 4 lines of code. We will not be showing exploit code as we believe given what’s at stake, it’s highly irresponsible, what we will do is give responsible researchers the knowledge they need to get involved and start helping to secure critical infrastructure.
Matthew is currently working as head of R&D at Insinia Security. Matthew’s previous roles included senior penetration tester and researcher at SecureLink, Europe’s largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security as part of a Specialist Team. Matthew regularly speaks at industry events and gives lectures on offensive security at Malmö’s Technology University in Sweden. Matthew spent over 3 years as part of an R&D team building intrusion detection software, a secure cloud platform, SIEM tools and other security software, Matthew is not only a competent red teamer but also a valuable asset to any blue team. Matthew works as a Cyber Security contributor for the Telegraph, Talk Radio and SVT.
Mike, Director of INSINIA Security, started life as a “hacker” before he had hit his teens and has a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years’ experience in building and breaking computers. Mike offers a unique perspective when it comes to varied and multi-vector attacks and is regarded as one of the UK’s most capable multi-skilled Cyber Security Specialists, gaining notoriety in the Cyber Security industry for using elements of different skills, both on hard and soft surfaces, to carry out highly technical and often highly intricate electronic attacks. One of these attacks includes hacking Costco’s high security Sentry display safe with nothing more than a magnet and a sock! Mike works as a Cyber Security contributor for the BBC, LBC, Channel 4 and was the Ethical Hacker who discovered the TalkTalk and O2 data breach stories.
How I break into casino, airports and CNI. The basics of Social Engineering – Chris Pritchard
This talk will be about the basics of social engineering into a client’s site/office. I think most SE talks focus on the more technical “human” aspects and I’m purposefully ignoring that side as I think the audience can often get scared by thinking they have to learn every facial micro expression to get into a client’s site successfully. So, I’m going to focus on the basics, how to perform reconnaissance, how to match dress styles, how to make up a pretext that fits your knowledge, how to get real staff to help you, what to do if you do get in, why you should interact with staff, why you should practice being observant, and why you should leave people feeling better for having meet you (Chris Hadnagy taught me this).
Chris P, Pen Tester by day, husband and guitar player by night. I’ve been in the security industry for 10+ years and love that I learn something new every day!
I Wrote my Own Ransomware; did not make 1 iota of a Bitcoin – Thomas Fischer
2016 saw a substantial rise in ransomware attacks and in some cases the return of some favourites with Cryptowall, CTB-LOCKER and TeslaCrypt being some of the most popular. The volume of attacks was in fact pretty steady for a good part of the year, with regular campaigns coming out on a weekly basis. It was interesting to see the variety in mechanisms used for the ransomware which not only included self-contained binaries but went all the way to the use of scripts. As part of the research I conduct last year, I wanted to understand why such a drive and lure for ransomware outside of the victims will pay as well as have some way of properly testing “anti-ransomware” solutions with an unknown variant. So to do that, I went ahead and built my own ransomware and drew some conclusions on why it became so popular. This talk explore the background and process used to build a live ransomware that I was able to use for controlled testing. To finally draw some of my own personal conclusions.
Thomas has over 30 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. He is currently a security advocate and threat researcher focused on advising companies on understanding their data protection activities against malicious parties not just for external threats but also compliance instigated.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and speaker at events like SANS DFIR EMEA, DeepSec, Shmoocon, and various BSides events.
L is for Luser – Scott Storey
It’s well known that everyone in IT hates end users and that security loathe them. They click obvious phishing links, they install dodgy software and they send your entire customer database to their personal email addresses.
In short, they are stupid and its all their fault for doing it wrong.
That was my opinion for a long time as well and I want to show you why they aren’t just stupid and how it might be you failing them.
In this talk I’ll go through my journey of luser hating tech support to people loving security guy.
15 + for occasional and inevitable swearing.
Cyber Security Specialist @ Sky Betting & Gaming & Associate Lecturer @ Sheffield Hallam University
Not a hacker, yet. – Chris Ratcliff
I am a security professional. I spend my days talking about security, I travel to events, and I have an unhealthy amount of stress balls and T shirts. I read NIST reports, point at magic quadrant charts and review CVE mitigation plans.
But I’m not a hacker. I attend cons and marvel at the wizardry of others to monitor, change and break cool stuff. I read the work others publish to find and exploit vulnerabilities. I don’t even have the skills to quit Emacs without Googling.
So I decided to change that. These are my first steps from noob-dom towards becoming a hacker, with soldering iron in one hand, a python book in the other, and plenty of enthusiasm.
Chris Ratcliff, security bloke, photographer, done a lot of crypto but now trying to get into terminals, shells and scripts.
Profiling the attacker – James Stevenson
- Building an information classification for your assets
- Attack significance plotting
- Attack factor comparison analysis
- Discerning motive
- Attacker kill chain analysis
- Malicious actor profile checklist
- Naming conventions for malicious actors
Security analyst at BT security for the past year and before that I was an intern in a SOC at a Texan company called Alert Logic.
The Arcane Arts of Linux – Alastair O’Neill
A journey through some techniques developed for Linux pentests, with a focus on red-teaming and living off the land.
Penetration tester, researcher, forensiciatrist, and former rootkit wizard with a penchant for old Unices.
The Dark Arts – Neil Lines
This presentation will demo hacks that I think are cool, it will unearth commonly over looked configurations, which once exploited can result in a complete compromise of a chosen target. Both external and internal exploitation including demos on chaining vulnerabilities will be discussed.
The presentation will start with what I describe as a nuclear level exploit, after this I wont be holding back, exploit after exploit will be presented.
The aim is to make this easy and fun to watch, and I hope it will be of interest to all areas of security not just pentesters.
Neil Lines is a Red Teamer working for Raytheon, previous to this role he has over seven years experience in performing internal, external infrastructure, web application and social engineering engagements. Neil regularly performs guest lectures on penetration testing and has spoken at many security conferences.
What does it take to steal $81m? – Donato Capitella and Oliver Simonnet
Media attention after 2016 Bangladesh Central Bank heist shone a light on SWIFT payment systems attacks and recent Shadow Broker leaks indicate that similar operations might’ve been carried out by nation state actors, albeit with a wholly different motive to stealing money.
In this presentation MWR will share its own experience and lessons learnt from assessing the security of SWIFT-related payment systems, including specific insights from the work that was carried out in the last two years together with major financial institutions. This will be integrated and compared with an analysis of what is publicly known about major SWIFT breaches.
- SWIFT 101 (What are the components of a typical SWIFT deployment? How to create SWIFT messages? What’s the attack surface?)
- Analysis of some notorious SWIFT attacks (How were they accomplished? What do they have in common? How much was stolen?)
- As an industry, are we ready to defend SWIFT and other payment systems? (What’s working, what do we need to do better? Once SWIFT is harder to compromise, where will attackers go next?)
Ollie and Donato are security consultants at MWR InfoSecurity. Ollie works mainly with application and infrastructure penetration testing, while Donato works with the Cyber Defence practice, helping clients understand how attackers might target them and what strategies can be implemented to become more reliant.
What I’ve Learned From Billions of Security Reports Every Month – Scott Helme
Running one of the largest security reporting platforms of its kind, we handle billions of security reports for our customers every single month. With our bird’s-eye view of such a diverse ecosystem we’ve helped identify malware in a multinational organisation, had a malicious browser plugin taken down and much more. Come and learn how we’re helping grow adoption of modern security standards and how we’re helping protect the wider community.
Scott Helme is a security researcher, consultant and international speaker. He can often be found talking about web security and performance online and helping organisations better deploy both.
Founder of report-uri.com, a free CSP report collection service, and securityheaders.com, a free security analyser, Scott has a tendency to always be involved in building something new and exciting.
You’ve Got Mail! – Dan Caban and Muks Hirani
Each year we see advancements in adversary tools, techniques, and procedures but consistency in the targeting of email infrastructure. An organizations email server is an excellent location for privilege escalation, maintaining presence, or data theft. This talk will use case studies from intrusions by advanced persistent threats to highlight the following areas where email infrastructure was a significant part of the attack lifecycle:
- Initial compromise via email: how social engineering and trust from the supply chain can be used to increase the likelihood of a successful foothold.
- Bypassing two factor authentication (2FA) to access email: case studies of using email to access 2FA tokens, and other advanced methodologies to access email behind 2FA.
- Planting persistent backdoors that attack and intercept mail in email clients on compromised endpoints: examples of email client-based backdoors used by Turla and other suspected Iranian threat groups,
- Compromising Microsoft Exchange servers with a variety of tools ranging from public webshells to custom IIS modules and handlers.
- Abusing the legitimate features of Microsoft Exchange Control Panel (ECP), including ECP eDiscovery features and leveraging the rich PowerShell toolset provided to legitimate administrators.
This talk is especially relevant to red teamers, as it will show how forensic investigators are detecting and responding to tradecraft overlap between authorized testing and targeted intrusions.
Dan Caban is a Principal Consultant at Mandiant and is based in Dubai. Dan has more than twelve years of experience in digital forensics, incident response, and remediation consulting. At Mandiant, he has responded to intrusions involving targeted threat actors in many market verticals, including government, finance, transportation, and energy. In addition to investigations in information technology and operational technology networks, Dan has delivered digital forensic and incident response training and helped to design or develop new methodologies to detect the tools, techniques, and procedures used by the adversaries he investigates.