Talk Schedule

You are here: Home » The Event » Talk Schedule

The following schedule is for Saturday 8th 2017. Full talk details will be added soon and will be available in your brochure on the day.

The kids track will start at 10:30 once the opening talk has finished.

Track 1 – Pennine Lecture Theatre

Same room as main track in 2016

10:00 – 10.30 Opening Speech (PG)

10.30 – 11.30 Chris Truncer and Brandon Arvanaghi (PG) – CheckPlease – Payload-Agnostic Sandbox Detection

11.30 – 12.30 Dominic Chell & Vincent Yiu (PG) – A Year In The Red

12.30 – 13.30 Sam Brown (PG) – A chain is only as strong as its weakest Win32k

13.30 – 14.30 Lunch

14.30 – 15.30 Darren Martyn (18+++) – A look at TR-06FAIL and other CPE Configuration Disasters

15.30 – 16.30 Chris Boyd (PG) – Mahkra ni Orroz

16.30 – 17.30 Soroush Dalili (PG) – HTTP Invisibility Cloak

17.30 – 18.00 SteelCon Crew (PG) – Closing speech

Track 2 – Peak Lecture Theatre

Same room as track 2 in 2016

10.30 – 11.30 Stefan Hager (15+) – Honey in the age of Cyber

11.30 – 12.30 Achim D. Brucker and Michael Herzberg (15+) – The evil friend in your browser

12.30 – 13.30 Nicky Bloor (PG) – Practical Serialization Attacks

13.30 – 14.30 Lunch

14.30 – 15.30 Neil Lines (PG) – Samurai of the west

15.30 – 16.30 Scott Helme (PG) – Revocation is broken, here’s how we’re fixing it

16.30 – 17.30 Ken Munro (18+) – Dicking around with dildos

Track 3 – Norfolk Lecture Theatre

The short wide one round the back we used for track 2 in 2015.

10.30 – 11.30 Ian Thornton-Trump (15) – 10 Years Forward into the Future: Fact, Fiction & Failure

11:30 – 12:30 Ignat Korchagin (PG) – Reclaim back keys for your Kingdom: a vaultless password manager

12.30 – 13.30 Carl Gottlieb (18+) – Let’s Cut The Crap on GDPR

13.30 – 14.30 Lunch

14.30 – 15.30 Steve Mitchell (PG) – (When it comes to security…) Nothing’s new, everything’s new.

15.30 – 16.30 Dan Raywood (PG) – From Stuxnet to Stuck Without the Net

16.30 – 17.30 Lightning talks


CheckPlease – Payload-Agnostic Sandbox Detection

In this talk, we release CheckPlease, a comprehensive repository of sandbox evasion techniques we have developed from a variety of sources. CheckPlease offers implementations for each sandbox evasion technique in Go, Ruby, Python, PowerShell, C#, and Perl, so the checks are compatible with any payload provided. We plan on discussing an almost comprehensive set of sandbox evasion techniques used, the thought processes behind them, how they are implemented across different languages, and release the codebase for all attendees.

A Year In The Red

As defensive technologies and detection capabilities improve, aggressors must evolve, adapting their tactics to avoid the spotlight shone by the blue team. This talk examines the most significant advances in red team tactics that have come to light over the course of the past 12 months. In addition to the public research that bore us the most fruit, we will also detail some of the research performed by MDSec’s ActiveBreach team. Specifically, our research includes some of the following:

  • Domain Fronting: how to egress using high reputation domains and evade controls such as proxy categorisation,
  • Attacking ADFS: how Internet facing ADFS endpoints can be abused to gain entry to corporate environments,
  • Sandbox Evasion: how popular (and expensive) malware protection sandboxes can be bypassed.

Where applicable, war stories and demonstrations will illustrate successes (and failures) from the front line. Finally, we will conclude with our predictions from both an offensive and defensive standpoint for the next 12 months.

A chain is only as strong as its weakest Win32k

This talk aims to provide an overview of the Windows kernel mode attack surface, how to interact with it and the challenges in exploiting kernel memory corruption vulnerabilities on the latest releases of Windows.

With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. This talk will demonstrate the tools available for finding bugs in Windows kernel mode code and drivers together with highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk will then cover common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM.

Finally the talk will walk through exploiting a Kernel mode memory corruption vulnerability on a modern release of Windows.

A look at TR-06FAIL and other CPE Configuration Disasters

In late 2016, a number of ISP’s, including TalkTalk in the UK, suffered temporary outages due to the mass-exploitation of a vulnerability in an implementation of the TR-064 protocol by the “Annie” worm.

This talk explores the vulnerabilities that allowed this to occur, the DSL Forum TR-XXX protocols involved, and other vulnerabilities in this whole stack of broken technology that allow an attacker to take over CPE devices en-masse with minimal effort.

Mahkra ni Orroz

In 2008, I went head to head with a collective of malicious trolls and had MySpace patch up an exploit, breaking the group’s tools and tactics in the process. After a series of expose style blogposts, they took it personally and went on a (mostly harmless) offensive, until a mysterious figure joined the fight, promising to bring me down in the most drawn out, comprehensive way possible. Unforeseen happenings and poor decisions resulted in a dedicated forum spreading my logins and data across hundreds of users, all of which was given to them by their one-step-ahead benefactor.

For six months, I was forced to jump through an increasingly dubious set of hoops, with the promise of one final, grand, devastating reveal at the end of it all.

In this talk, you will see:

  • The price paid for public facing research
  • How easily your social graph will betray you for a get out of jail card
  • A forced game of “hack your friends or else”
  • A meticulously planned out piece of forum compromise, laced with unforeseen consequences
  • A daring bank heist, overlaid with a smattering of blackmail and lulz
  • The retroactive fallout that occurs when the single most devastating piece of information that can be dropped, is

This in-the-trenches style account of a piece of research gone horribly awry is filled with
wrong turns, social engineering, fakeouts, and a threaded message that nothing is ever quite what it seems. What happens when you put Mahkra ni Orroz?

A Forgotten HTTP Invisibility Cloak

This talk illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.

Honey in the age of Cyber

Are you defending a large and complex network from relentless attackers? Have you ever thought about providing tailored services to an attacker, so both of you can benefit from the attack? If you let the baddies explore your carefully crafted honeypot they will have a (temporary) warm fuzzy feeling and you will have some cold hard intel – isn’t that win-win in its purest form? But wait, there’s more – honeypots aren’t the only deception technique out there. Shining a light on methods from low-cost, easy to implement honeytraps to complicated ways to fool attackers, you will find out what’s a good idea for your network and what simply isn’t. Deception can be an effective early warning system and also gives you the one thing you really need when guarding against a cyber attack: time.

The evil friend in your browser

On the one hand, browser extensions, e.g., for Chrome, are very useful, as they extend web browsers with additional functionality (e.g., blocking ads). On the other hand, they are the most dangerous code that runs in your browsers: extension can read and modify both the content displayed in the browser. As they also can communicate with any web-site or web-service, they can report both data and metadata to external parties.

The current security model for browser extensions seems to be inadequate for expressing the security or privacy needs of browser users. Consequently, browser extensions are a “juice target” for attackers targeting web users.

We present results of analysing thousands of browser extensions on how they use the current security model and discuss examples of extensions that are potentially of high risk. Based on the results of our analysis of real world browser extensions as well as our own threat model, we discuss the limitations of the current security model form a user perspective.

Practical Serialization Attacks

Java Serialization is commonly used by large-scale enterprise applications and presents significant opportunities for attacks that often lead to unauthenticated remote command execution against the underlying application servers. While serialization exploits are not new, identifying and exploiting serialization vulnerabilities can be more involved than other common vulnerabilities. During this talk I’ll look at some real attacks against Java serialization and demonstrate how to identify and attack serialization vulnerabilities to reap the rewards of RCE.

Samurai of the west

Hype surrounding zero days is interesting, are they really worth the attention we give them?

My talk will look at zero days and compare them to freely available functionality that can be exploited resulting in the same goal, minus the hype. It will touch on commonly known modern releases such as the TheShadowBrokers gifts, quickly demo a few of them working and then it will hopefully raise a question, with regards to the NSA, a theory I have that I not seen anyone mentioned on any medium to date. Following on from this the talk will detail how a compromise could have played out. There will be lots of demos showing a remote attack starting from nothing right the way up to the complete compromise of the targeted domain, using functionally, misconfiguration and a bit of Samurai magic.

Revocation is broken, here’s how we’re fixing it

The certificates we obtain from a Certificate Authority underpin trust on the web. The problem is that if we lose the key for our certificate an attacker can use that certificate to successfully impersonate us for as long as it’s valid, potentially years. We need a way to revoke the trust in these certificates so that they can’t be abused but all current  evocation mechanisms are largely useless. Let’s look at the new mechanisms being  introduced to address the problem of revocation.

Dicking around with dildos

Adult toys are evolving, in strange ways. The IoT brings the opportunity to attach any old nonsense to the internet. The sex toy industry is no exception. App enabled dildos, dildo APIs, cameras embedded in IoT dildos and sex dolls are all out there, so we thought we’d poke around.

This is a story of hardware reverse engineering and screwing up your Amazon recommendations.

10 Years Forward into the Future: Fact, Fiction & Failure

Thinking and discussing the future of IT and IT systems ten years in the future is a daunting task and it’s easy to plunge into a dystopian vision. From the Matrix to Westworld and Mr. Robot, Hollywood thinks we are in for a rough future. Join Ian Trump, Global Cyber Security Strategist, Solarwinds for a proactive timeline of future events. Nation state conflicts, hacktivist insurgency and prolific cyber-crime will force key future developments – these developments will have profound societal implications. Will the hopeful technology of today such as AI, the Internet of Things and the emergence of direct brain to network connections be the saviour of the network? Will the attack surface of the future be the human brains and AI systems which are permanently attached to the network? Is a brighter future possible once we endure the foretasted hard times ahead? The network we have today will be the foundation of the network of the next ten years – maybe we can get it right this time?

Reclaim back keys for your Kingdom: a vaultless password manager

Securing the modern Internet requires passwords that are either ridiculously long or look like random gibberish of letters, numbers and special characters. As a result, passwords today are easily forgotten and the sheer amount of passwords one has to remember across various platforms makes the password problem even worse. That’s where password managers, currently the most secure way to manage passwords, kick in. But every password manager requires a vault, and managing your vault can become a tedious task, not to mention the added stress of trusting your vault to a third party. Improperly managed vault can also create security issues. Wouldn’t it be great to do without vaults altogether? This presentation introduces an open-source vaultless password manager for stress-free security.

Let’s Cut The Crap on GDPR

In a world of hype around GDPR, this talk delivers a hard dose of reality of what the GDPR is, what it isn’t and whether anyone is really going to get fined a billion Pounds.

“Encryption is the answer! It’s all about breach notifications! Brexit will change all the rules!” – I’ll address crap like this and much more. I’ll describe the contents of the GDPR and how it positively impacts your individual rights and your career in Information Security. I’ll discuss who is really going to get fined and how much, and whether there will be a grace period after May 2018.

Delivered by a straight talking Northerner, this talk will help fill in the gaps in your GDPR knowledge and keep you focused on its real world consequences.

When it comes to security…) Nothing’s new, everything’s new.

Personal view of significant developments in IT security over the last 15 years, basically: from stopping viruses spreading to stopping hackers hacking. A few ‘war stories’ and a sprinkle of historical events (e.g. transporting the Cullinan diamond, Zimmermann’s’ telegram) that hopefully will provoke some deeper broader thinking about current security challenges. If there’s anything breaking at the time – maybe do some analysis on it.

From Stuxnet to Stuck Without the Net

Payments to release victims from ransomware keep on being made, and the noisy yet infectious malware snares all sorts of victims in a variety of business verticals. However, there is little in the form of prevention to help victims or even decrypt the ransomware and release the files or desktop.

In this talk I will look at the evolution of ransomware from an irritant to an epidemic, the security factors (encryption, phishing, user fallibility, immediacy) that have contributed to ransomware being a successful vector, examine cases of “success” for ransomware and why they happened, and ask what the industry should be doing to ensure that people do not fall victim anymore.