• If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Files spread between Dropbox, Google Drive, Gmail, Slack, and more? Dokkio, a new product from the PBworks team, integrates and organizes them for you. Try it for free today.

View
 

BSidesLondon Talks

 

BSidesLondon Speaker Voting has now CLOSED

 

Click to see whats happening at BSides London.

 

 

What?
Call For Presenters (CFP) for Security B-SidesLondon 2011 has CLOSED - Sorry
When?
Deadline was Feb 15th 2011
How?
Build a time machine and go back and submit your talk.
About?
Use the time machine to see what was written here.

 

The CFP for the first ever BSidesLondon has closed.

We have two parallel streams running throughout the day: stream 1 has 50 minutes sessions for keynote and formal presentations. These should allow time for discussion, Q and A. Stream 2 follows a less formal, more interactive format; session times can be flexible from 30-90 minutes.

We welcome presentation and session proposals to both streams which engage with the audience and promote discussion, from any of the various security disciplines, such as software development, operational maintenance, pen testing and so on. In the spirit of BsidesLondon, presenters are encouraged to engage with these issues in a way that reflects the material being discussed.

Please note that all submissions must be entered on the table below. Provide as much information as possible and links to supporting documentation if necessary.

Once the deadline is reached the CFP will be closed and submissions will be peer reviewed/voted. The selection process is expected to be finished by Feb 15th . The selected talks will be slotted into streams 1 and 2 and published in the main page. All applicant presenters will be notified by Geekchickuk.

Please complete the table below.

Name
David Rook
Contact Info (e.g. email, twitter, website)

@securityninja

securityninja at realexpayments.com

Preferred Stream Time (30/60/90 mins)
60
Session Title
Agnitio: its static analysis, but not as we know it
Abstract (max 500 words)

As an industry we should always be aware of the security CIA (Confidentiality, Integrity and Availability) when it comes to any work we do. I feel that we often fail to do this when it comes to security code reviews. We record our code review notes in notepad files, Word documents or Excel spreadsheets which fail to enforce integrity or any kind of audit trail. We then turn these notes into Word or PDF format reports and give them to our customers, where is the integrity and audit trail in this process? How can I prove that I produced the report for Application A on X date? How can I prove to an auditor that the report I’m showing them hasn’t been modified since it was originally produced?

 

I have released a free security code review tool called Agnitio which addresses the repeatability and integrity concerns by forcing a reviewer to create application profiles, answer over 60 application security questions and enforces mandatory integrity checks for reviews and reports created using the tool. The checklist not only serves as a guide for the reviewers but also as a resource to educate reviewers and developers by focusing on the Principles of Secure Development approach to secure development. Every checklist item has a detailed explanation in the Agnitio knowledgebase which arms reviewers and developers with the necessary knowledge to find vulnerabilities in the source code they are reviewing. Agnitio delivers repeatability and clarity to the security code review process as well as built in metrics and reporting.

 

This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.

 

Using an open source project that has recently had a vulnerability published in it we will show how Agnitio could have helped prevent this vulnerability by finding it during a security code review.

 

I will demonstrate how Agnitio can be used in the attendees for their own security code reviews to deliver integrity, repeatability, audit trails and metrics.

 

If selected to talk at BSidesLondon I will release a new version of Agnitio during the talk.

External Links (support doc)

http://www.securityninja.co.uk/

http://sourceforge.net/projects/agnitiotool/

 

Name Michael Kemp

Contact Info

(e.g. email, twitter, website)

@clappymonkey

clappymonkey at gmail dot com

Preferred Stream Time (30/60/90 mins) 60
Session Title When I Grow Up I want to be a Cyberterrorist
Abstract (max 500 words) Computer mediated terror is big business. Books get written. New reports get recorded. Every time a teenager discover LOIC and 4chan it makes headlines. Experts have warned for years of the likelihood of an 'electronic pearl harbour'. Even John McClane and Hollywood have got into the fray. So, who are the cyberterrorists, and how will they cause the downfall of Western civilisation? This talk examines some of the more ridiculous claims made about computer mediated attacks on CNI (Critical National Infrastructure) as well as providing details of how terrorists could actually cause harm should they actually know what they are doing (as opposed to performing low level scams like al-Daour, Mughal & Tsouli). As well as addressing weaknesses in the critical infrastructure of the UK, it discusses specific attacks (that may well work) as well as practical countermeasures. The talk also adresses the politics of fear, and how a fundemental misunderstanding (or misappropriation) of both technology and the 'terrorist' mindset is leading to a clampdown on network freedoms, and what can be done about it (other than blowing up power stations and telco backbones). It should be noted that the author is risking getting on all manner of 'watch' lists to deliver this talk.
External Links (support doc) lowfisecurity.com

 

 

Name 
Steve Lord
Contact Info (e.g. email, twitter, website) 
http://www.mandalorian.com/ and http://www.tigerscheme.org/ @stevelord
Preferred Stream Time (30/60/90 mins) 
60 
Session Title 
Breaking, Entering and Pentesting
Abstract (max 500 words) 
The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session.
External Links (support doc) 
 

 

 

Name 
Steve Lord
Contact Info (e.g. email, twitter, website) 
http://www.mandalorian.com/ and http://www.tigerscheme.org/ @stevelord
Preferred Stream Time (30/60/90 mins) 
60 
Session Title 
Firewall? What Firewall? (Or "It's Common Criteria, it must be safe, I read it on the Internet")
Abstract (max 500 words) 
In this talk I discuss and demonstrate various means of post-exploitation firewall bypass, starting with traditional pivots and working up to internal proxy-compatible full virtual network access.
External Links (support doc) 
 

 

 

Name
Matt Summers
Contact Info (e.g. email, twitter, website)
@dive_monkey
Preferred Stream Time (30/60/90 mins)
60
Session Title
Trust thy neighbor?
Abstract (max 500 words)
Should trust be given or earned? In the digital age who can you trust? We will examine trust mechanisms of popular systems and how they fail to deliver yet we continue to give our trust to unknown systems. We will also delve into the social aspect of trust and how our privacy is being eroded.
External Links (support doc)
 

 

Name
Chris Boyd
Contact Info (e.g. email, twitter, website)

@paperghost

www.gfi.com

Preferred Stream Time (30/60/90 mins)
60
Session Title
"Console yourself: Gaming threats in the workplace"
Abstract (max 500 words)
The talk seeks to explain the risks that a net-connected console in the workplace can bring, along with solutions for neutralising some of those threats.  It will also examine some of the problems that cannot be readily resolved - problems that could lead to possible brand damage and compliance issues as consoles integrate web 2.0 applications and websites.

The main body of the talk is divided into three main sections, with an introduction that looks at global console sales figures, why consoles are becoming popular in the workplace and an exploration of data taken from a survey of 200 senior IT decision-makers in public and private sector organizations around the globe. Roughly half of the people surveyed had a game console in the workplace and forty-four percent of those had a net-connected console. Additionally, eight out of ten respondents had no record of who was using those gaming machines, setting the scene for a networked environment where all manner of malicious activities could be taking place.

The introduction will finish with a look at the increase in the profitable black market trade for videogame console accounts, how features added by console makers are an incentive to hackers and why a corporate gaming account would be a prize catch for a bad actor.

The three main areas that will be explored are phishing and social engineering (both ingame and online), hardware hacking / denial of service attacks (specifically, how the black market will create custom built DDoS Botnet tools to target specific individuals for the right price) and how the continued integration of services such as Facebook and Twitter into games consoles can bypass otherwise watertight security protocols, giving rise to data leaks / brand damage as a result.

I’ll include a real life example of a company that could have fallen victim to account theft and profiling of the employees, due to poor implementation of security practices in relation to their corporate gaming account. Additional areas covered will include how tying Xbox accounts to Windows LIVE Ids can result in basic security mistakes, how “features” of gaming accounts that cannot be hidden with privacy settings make you a target, an examination of the custom built hacking tools made to tamper with console data, how you can protect yourself from customer support being fooled into handing over your login and the typical journey of a stolen account.

We’ll also explore how console web browsers can cost companies money as a result of fake AV warnings, how games related searches on office PCs are increasingly becoming targets by Blackhat SEO exploitation and whether the “security scare stories” of the recent PS3 hack are justified.
External Links (support doc)
http://www.theregister.co.uk/2010/02/21/xbox_hacking_phishing_analysis/
http://www.computerworlduk.com/in-depth/security/3165/xbox-ps3-and-the-threat-to-workplace-security/

 

 

Name
Jelle Niemantsverdriet 
Contact Info (e.g. email, twitter, website)

@jelle_n

securitybsides [at] niemantsverdriet [dot] nl

Preferred Stream Time (30/60/90 mins)
60 
Session Title
"Bringing the data back into data breaches"
Abstract (max 500 words)

If you read in the papers about a data breach, you typically only read about the number of records breached. What actually went wrong, how the attackers got in and how such an attack could have been prevented - you never read that in the press. By sharing intelligence from our forensic investigations, we give an inside view of these data breaches including analysis that we believe will be helpful to the planning and security efforts of our readers, so these can be based on actual incident data rather than newspaper stories.

 

This presentation will combine information from the latest Verizon Data Breach Investigation Report - containing data from both Verizon and United States Secret Service cases -  to provide an inside look into the world of investigating data breaches, using real world data and case examples.

 

I'll also highlight how we think incident data sharing can be setup amongst organisations to result in more widely available information on security incidents.

External Links (support doc)

DBIR 2010: http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/

VERIS framework: http://securityblog.verizonbusiness.com/2010/11/11/veris-community-application-launched/

 

 

Name 
Graham Lee
Contact Info (e.g. email, twitter, website)
@iamleeg, [email protected]
Preferred Stream Time (30/60/90 mins)
30 mins
Session Title 
Is your smartphone app secure? No bloody clue, how do I use it?
Abstract (max 500 words)  Back in the depths of history, when companies like Sun Microsystems still existed and portable computers weighed marginally less than the stack of floppies their operating systems were distributed on, A. Whitten and J. Tygar wrote "Why Johnny Can't Encrypt". In that paper they demonstrated that even well-implemented security software and privacy features will fail in the real world if the user interface doesn't make them discoverable, accessible or comprehensible. Of course, that was 1999, and since then we've entered the bold new world of the smartphone. Marketing types are using words like "paradigm", which means that everything must have changed, right? Erm, wrong. In this talk, I'll examine why usability engineering should still be an important part of security engineering, and give specific suggestions of #fail and #win in smartphone apps. Some of these suggestions could even be taken seriously.

 

 

External Links (support doc) 

 

 

 

Name 
Simon Walker
Contact Info (e.g. email, twitter, website)
Simon.walker-at-quantainia-dot-com
Preferred Stream Time (30/60/90 mins)
60 mins
Session Title 
Why Security Business Cases Fail: What Cholera, Rubbish , and “The Dismal Science” Can Teach Us
Abstract (max 500 words) 

Primary research has found that many organisations have a confused approach to security business cases – leading to their frequent failure. Starting with a look at the cross-sector, international research, we will look at some “accepted” models and the innate failings in these, the economics that sit behind failures to capture business benefits of security, and where else we might look for inspiration.

 

External Links (support doc) 

www.quantainia.com

 

Name 
 Manuel
Contact Info (e.g. email, twitter, website)
@__sporkbomb
Preferred Stream Time (30/60/90 mins)
 60
Session Title 
 TBA
Abstract (max 500 words) 

Between Sony rootkits, unavailable authentication servers its absolute inability to stop piracy, we have probably all noticed that DRM sucks. It gets even worse when the retailer is blabbering about the "openness" of their products while locking them down and preventing you from enjoying the media you just bought. The neat thing is that they are playing that game on OUR playing field.

 

This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface. (Pardon the gibberish, but this is the only phrasing that's compatible with the EU's regulations on reverse engineering...)

You could, of course, also use your re-implementation to strip all DRM measures from the ebooks you just bought and enjoy them however and wherever you want.

 

CAUTION: Talk contains strong language, politically incorrect jokes and crying babies.

External Links (support doc) 

http://sporkbomb.eu/kobopier/

 

Name 
Wicked Clown
Contact Info (e.g. email, twitter, website)

@wickedclownuk

wicked.clown at tombstone-bbs dot co dot uk

Preferred Stream Time (30/60/90 mins)
30 mins
Session Title 
Breaking out of restricted RDP
Abstract (max 500 words) 

After doing a 5 mins talk at BruCON 2010, I am going to expand on this subject. Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit.

External Links (support doc) 

http://www.tombstone-bbs.co.uk/brucon/brucon.html

 

Name 
Chris Boyd
Contact Info (e.g. email, twitter, website)

@paperghost

www.gfi.com

Preferred Stream Time (30/60/90 mins)
60
Session Title 
"Web browsers: A history of rogues"
Abstract (max 500 words)

Web-browsers. They’re all around us, on every PC across the length and breadth of the planet, yet most users probably don’t stop to think about them too much. Where browsers are concerned, most end-users think of threats as being malicious web pages, drive-by downloads or some other activity that takes place within the confines of their browsing window. They give up their trust to these browsers wholeheartedly; let them save passwords, keep hold of browsing habits and much more besides.

When the web browser itself is a rogue entity, this is a very bad idea.

What happens when the very tool you share your closest browsing secrets with is intentionally betraying trust with every single click of the mouse?

What happens when your browser intentionally sends you to places that could put you in jail?

This talk will examine the strange history of the rogue web browser, looking at key examples from 2006 to 2008 along with possible reasons the "movement" died out and examples of how the genre has evolved in the last year or two. A large portion of material in the presentation contains many pieces of unseen information related to one of the most notorious rogue browsers ever created - Yapbrowser. Screenshots from Russian forums, email exchanges between myself and someone who was likely part of a Coolwebsearch affiliate group, illegal websites, smear campaigns, crime rings, documents lifted from underground servers and Adware vendors all feature heavily.

Whether this is your first taste of a rogue web browser or you're familiar with some of the exploits on offer, everyone will see something new as we explore a largely forgotten area of security research.

 

 

External Links (support doc) 

references:
http://www.eweek.com/c/a/Security/Return-of-PornFetching-YapBrowser-Raises-Eyebrows/
http://consumerist.com/2006/06/yap-browser-the-worst-browser-ever.html

Slide content samples:
http://www.flickr.com/photos/paperghost/5372712294/
http://www.flickr.com/photos/paperghost/5372110855/
http://www.flickr.com/photos/paperghost/5372110717/
http://www.flickr.com/photos/paperghost/5372110285/

 

 

Name 
 Peter Blay
Contact Info (e.g. email, twitter, website)

@lavamunky

peter at www dot lavamunky.com

Preferred Stream Time (30/60/90 mins)
30 or 60
Session Title 
Why technology, companies, and all of us are destroying the future of information security
Abstract (max 500 words) 

With the constant advancements in technology, companies can't afford to keep up, and so with so many legacy systems, it is becoming more and more apparent that the knowledge 10, 15 years ago is still relevant today. There are still the same old exploits occurring, and the same old systems still being used along with the new.
But what does this mean for the future? With the amount of legacy systems in use, comes with it the need to have knowledge of all (or nearly all) of them. Whether a vulnerability researcher, a pentester, or just a sysadmin, the amount of knowledge needed keeps on growing.
The areas explored will be advancements in technology that are creating storms within infosec and how this goes against the grain of people trying to get into infosec.
Included will be personal experiences of how teaching is not keeping up with the advancements of technology, why this will always mean software will be very vulnerable and I'll explain why unless there is a change, it will just get worse and worse in the future, and the future generation.

 

External Links (support doc) 

http://www.lavamunky.com/

 

 



Name
Rory McCune
Contact Info (e.g. email, twitter, website)
@raesene, [email protected] 
Preferred Stream Time (30/60/90 mins)
30 or 60 mins
Session Title
Pen. Testing Must Die
Abstract
"Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK.  Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do. 

So it's time for it to die.

I'd like to talk about the problems and hopefully the solutions to the problems .

 

 

Name 
Ellen Moar and Colin McLean 
Contact Info (e.g. email, twitter, website)

e dot moar at abertay dot ac dot uk

c dot mclean at abertay dot ac dot uk

@soyflower

Preferred Stream Time (30/60/90 mins)
 30
Session Title 
Malware writing 101 - A script kiddie's attempt at writing and masking Trojans
Abstract (max 500 words) 

Writing Trojans is cool, what's better than remotely controlling other people's computers?  But it also takes time, skills and effort. What if you're just too lazy? We’ve hunted down what’s already out there on code sharing sites in terms of cool exploits, and we’ll look at how easy it is for a script kiddie to create their own unique malware in a matter of minutes.  In case you’re even lazier than that, we’ll also have a look at the ways in which a script kiddie can take a well-known Trojan, detectable by all the normal anti-virus products, and manipulate it in order to bypass these products. We'll demonstrate various methods of constructing and hiding Trojans and test the results against major AV vendors.

 

External Links (support doc) 

 

 

 

 

Name 
Nathaniel Borenstein      
Contact Info (e.g. email, twitter, website)
[email protected] 
Preferred Stream Time (30/60/90 mins)
 60
Session Title 
 Email Security: Chimera or Oxymoron?
Abstract (max 500 words) 

Since the first email message was sent nearly 40 years ago, people have acted as if email were secure while bemoaning the fact that it isn't. Despite decades of efforts and dozens of different kinds of countermeasures, all of the old problems persist to varying degrees: impersonated identities, eavesdropped content, sabotaged reliability, and email-based attacks. Yet we still find email far too useful to live without.

 

In this talk I will review the history of email security threats and the various attempts at solutions and countermeasures, with a particular focus on why those countermeasures have almost universally failed to solve the problems. In a world where PGP and S/MIME have been available for over a decade, why are so few messages signed or encrypted, and what would it take to change the situation? Why have 15 years and untold millions of dollars failed to halt the spam and phishing problems?

 

I will conclude with a discussion of the prospects for acceptable solutions in the future. New technologies and better educated users will help with some of the problems, as will more reasonable user expectations on the part of technologists. But I will also discuss those aspects of email security about which we must simply, and with apologies to Stanley Kubrick, "stop worrying and learn to love the mail bomb."

 

External Links (support doc) 

http://theviewfromguppylake.blogspot.com

http://guppylake.com/nsb

 

 

Name 

David Stubley

Contact Info (e.g. email, twitter, website)

@DavidStubley

david.stubley at 7elements.co.uk
Preferred Stream Time (30/60/90 mins)
30 or 60
Session Title 
APT – What’s all the fuss about?
Abstract (max 500 words)  Is APT just FUD and fluster, mere media hype for the masses or a real issue we have yet to acknowledge?

 

This talk will take a look at the history of what is now termed APT, the current threat landscape and then the future for APT and how it will affect wider industry.

 

Along the way we will dispel some myths, highlight some truths, explore its roots in military focused attacks and how it has evolved.

External Links (support doc)  www.7elements.co.uk

 

Name 

 Jimmy Blake

Contact Info (e.g. email, twitter, website)

@jimmyblake

jimmyblake at gmail dot com

jblake at mimecast.com

Preferred Stream Time (30/60/90 mins)
30 or 60
Session Title 
Cloud Computing Due Diligence - WTF?
Abstract (max 500 words) 

The media hype, both positive and negative, around cloud computing is often sensationalist.  The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?

 

This talk will provide a more ‘down-to-earth’ and expanded version of presentations previously given at InfoSec, IT Web South Africa and the Cloud Computing World Forum to look at how customers often do not classify their data sufficiently and end-up backing themselves into an ‘all-or-nothing’ approach to cloud computing; it will discuss how customers often fail to take an objective assessment of the risks of moving to the cloud by not baselining on what they currently do on-premise; we'll look at the role of certifications such as SAS-70, PCI DSS and ISO 27001 in a cloud computing context; why 'right to audit' doesn't scale; look at why internal clouds are infrastructure vendor marketing bull; and to manage the conflict between a business' desire to outsource with the IT department’s wish to protect it’s influence.

 

We will finish up by disclosing some of the tricks used by cloud computing vendors to ensure transparency of internal processes remains 'opaque', and how to avoid them.


External Links (support doc) 

www.jimmyblake.com

 

 

Name 
David Rook and Chris Wysopal 
Contact Info (e.g. email, twitter, website)
 @securityninja and @WeldPond
Preferred Stream Time (30/60/90 mins)
 60
Session Title 
Jedi mind tricks for building application security programs
Abstract (max 500 words) 

Software serves as the very fabric of how the world communicates and fuels 21st century business. Software infrastructure runs an organisations critical financial processes and the transactions between customers, partners and employees. Software is also the primary target of criminal hackers who steal and sell information assets on the information black market. With 75% of new attacks (CERT) and 80% of attacks (SANs Top 20) targeting applications, combined with regulatory requirements, it is unsurprising application security has risen to the top of security professionals agendas. Unfortunately despite the risks and elevated awareness, application security programmes are usually under funded or sadly nonexistent.

From the perspective of both an employee of a financial transaction provider and a security vendor, this presentation will focus on how to effectively sell the business value of application security to executives, middle management, and development groups. David Rook and Chris Wysopal will share how they have successfully obtained the resources necessary for an effective application security programme where others have failed. Their experience with reveal key real-world techniques that help unify an organization around an application security and what common pitfalls to avoid that every security professional should be aware of. These techniques involve engagement with key business resources and convincing developers for the need for application security using real world examples.

External Links (support doc) 

www.securityninja.co.uk

www.veracode.com

 

Name 
 Frank Breedijk
Contact Info (e.g. email, twitter, website)
 @seccubus
Preferred Stream Time (30/60/90 mins)
 30 or 60 (Can also do 2 hour workshop)
Session Title 
 Seccubus - A tool to take the pain out of repeated vulnerability scanning
Abstract (max 500 words) 

Short or longer talk about Seccubus

 

As part of his job as Security Engineer at Schuberg Philis, Frank Breedijk performs regular security scans. The repetitive nature of scanning the same customer infrastructure over and over again made him decide to look for a more automated approach. After building his first scanning scheduler he realized that it actually does not make sense to look at all findings every time they are reported. It would be much better to only investigate the deltas between the scans. The philosophy behind Seccubus was born. In his workshop Frank will demonstrate Seccubus by making the attendees perform scans of a live demo environment and explain the inner workings of Seccubus and the philosophy behind it.

What is Seccubus?

Seccubus automates regular vulnerability scans and provides delta reporting. It effectively reduces the analysis time for subsequent scans of the same infrastructure by only reporting delta findings.

Why?

Anyone who has ever used a scanning tool like Nessus or OpenVAS will be familiar with one of its biggest drawbacks. Nessus and OpenVAS are very valuable tools, but unfortunately also very noisy. The time needed to report on a single scan will often be two or three times the time needed to do the actual scan. Seccubus was created in order to more effectively analyze the results of regular scans of the same infrastructure.

How does it work?

Seccubus runs vulnerability scans at regular intervals and compares the findings of the last scan with the findings of the previous scan. The delta of this scan is presented in a web GUI where findings can be easily marked as either real findings or non-issues. Non-issues get ignored until they change. This causes a dramatic reduction of the analysis time.

What is in the talk?

What will be in the talk?

The presentation will tell the tale of two engineers that have been tasked with scanning the same infrastructure each week. On uses a regular approach, the other one uses Seccubus. As we follow them we will find out what Seccubus is about and how it will help the smarter of the two individuals in his job.

External Links (support doc)  www.seccubus.com

 

 

Name 
Frank Breedijk
Contact Info (e.g. email, twitter, website)
 @Seccubus
Preferred Stream Time (30/60/90 mins)
 60
Session Title 
 The road to hell is paved with best practises
Abstract (max 500 words) 

 

Presentation Abstract:

This talk will try to address the "unaskable" question "will best practices make use more secure?" in a light and entertaining manner.

Will a strong password policy result in stronger passwords? When are there too many admins on the system?

In good cop/bad cop style Frank Breedijk and Ian Southam will address this topic from the firm believe that IT Security should actually make IT more secure.


Presentation Outline:

Together they have been in the IT profession for over 35 years. Ian primarily as a system administrator, Frank first as a programmer later as IT security something. Together they strongly believe that IT Security should have one purpose, to actually make computing and processing information more secure.

As obvious as that statement seems, security measures often do not achieve this goal but sometimes hurt it. E.g. enforcing "very strong" password policies will often result in people not being able to remember their passwords and writing them down, or reverting to passwords like Password01, Password02, etc.

In a light, good cop/bad cop style presentation Ian and Frank plan to address this and other less obvious examples of so called "best practices" that actually hurt security.


What do you hope attendees will gain from the presentation?

Besides the fact that we plan to give a very entertaining presentation, we also hope to trigger some self reflection in the IT security community.

We hope to help break the inertia of certain long lived best practices that, e.g. force us to change our password every month because it takes two months to crack such a password with a PDP-11.

The presentation will also provide some handles for people who share our believes to broach the subject to others.

External Links (support doc)   

 

Name 
Chema Alonso & Palako
Contact Info (e.g. email, twitter, website)

 [email protected]

@chemaalonso

http://www.elladodelmal.com

 

Preferred Stream Time (30/60/90 mins)
 60 - 90 minutes
Session Title 
Yep, FOCA Again 
Abstract (max 500 words) 

FOCA was born as a tool to analyze networks using extracted metada from public files. It still does, but also has a lot of new functions to improve the pentesting. FOCA is focused in footprinting and fingerprinting phases along a pentesting job. Right now, we are about to publish a new version of FOCA. In this talk we'd try to describe all the details behind the newest version of FOCA for all the FOCA Lovers. Of course, we'll do a lot of crappy demos with famous sites, just for fun.

External Links (support doc) 

http://www.informatica64.com/FOCA 

http://www.securitytube.net/The-FOCA-Striked-Back-at-Defcon-18-video.aspx (previous version)

 

Presentation Abstract:

This talk will try to address the "unaskable" question "will best practices make use more secure?" in a light and entertaining manner.

Will a strong password policy result in stronger passwords? When are there too many admins on the system?

In good cop/bad cop style Frank Breedijk and Ian Southam will address this topic from the firm believe that IT Security should actually make IT more secure.

 

Name
Arron "finux" Finnon
Contact Info (e.g. email, twitter, website)

@f1nux

www.finux.co.uk

Preferred Stream Time (30/60/90 mins)
30
Session Title
"DNS Tunnelling, Its all in the name!"
Abstract (max 500 words)
In September 2000 a post came across the Slashdot website informing its readers of an interesting use of DNS tunnelling for breaking out of locked down networks. It utilises that most networks regards less of their firewall, Access Controls, would allow DNS look ups. Researchers found with crafted packets that they could in fact establish bi-direction IP traffic, they delivered a protocol named NSTX. However this concept became more widely established when the respected DNS security researcher Dan Kaminsky, released his Ozyman tool at Blackhat in 2005, Kaminsky who in 2010 became one of ICANN's Trusted Community Representatives for the DNSSEC root certificate, has an unparallelled reputation when it comes to DNS security and it insecurities. Needless to say this release caught the attention of many security researchers, however worrying nearly 11 years after the discovery and 6 years since Kaminsky's Ozyman tool release, this vulnerability still lives on in a number of networks. All though DNS tunnelling could be seen as way to obtain free Internet on captive portals, it is also an effective tool in data theft. However it is hard to imagine the limitations when this is mixed with shellcode's. DNS tunnelling could be used to reverse connect a shellcode from target to attacker, the tunnel's effectiveness of traversing NAT makes it a worthy deployment. The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. In addition to showing that this can be deployed from resources available on the world wide wed. The presentations aim is to show how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
External Links (support doc)
 

 


Presentation Outline:

Together they have been in the IT profession for over 35 years. Ian primarily as a system administrator, Frank first as a programmer later as IT security something. Together they strongly believe that IT Security should have one purpose, to actually make computing and processing information more secure.

As obvious as that statement seems, security measures often do not achieve this goal but sometimes hurt it. E.g. enforcing "very strong" password policies will often result in people not being able to remember their passwords and writing them down, or reverting to passwords like Password01, Password02, etc.

In a light, good cop/bad cop style presentation Ian and Frank plan to address this and other less obvious examples of so called "best practices" that actually hurt security.


What do you hope attendees will gain from the presentation?

Besides the fact that we plan to give a very entertaining presentation, we also hope to trigger some self reflection in the IT security community.

We hope to help break the inertia of certain long lived best practices that, e.g. force us to change our password every month because it takes two months to crack such a password with a PDP-11.

The presentation will also provide some handles for people who share our believes to broach the subject to others.

 

 

Presentation Abstract:

This talk will try to address the "unaskable" question "will best practices make use more secure?" in a light and entertaining manner.

Will a strong password policy result in stronger passwords? When are there too many admins on the system?

In good cop/bad cop style Frank Breedijk and Ian Southam will address this topic from the firm believe that IT Security should actually make IT more secure.

 

Name
Arron "finux" Finnon
Contact Info (e.g. email, twitter, website)

@f1nux

www.finux.co.uk

Preferred Stream Time (30/60/90 mins)
30
Session Title
"DNS Tunnelling, Its all in the name!"
Abstract (max 500 words)
In September 2000 a post came across the Slashdot website informing its readers of an interesting use of DNS tunnelling for breaking out of locked down networks. It utilises that most networks regards less of their firewall, Access Controls, would allow DNS look ups. Researchers found with crafted packets that they could in fact establish bi-direction IP traffic, they delivered a protocol named NSTX. However this concept became more widely established when the respected DNS security researcher Dan Kaminsky, released his Ozyman tool at Blackhat in 2005, Kaminsky who in 2010 became one of ICANN's Trusted Community Representatives for the DNSSEC root certificate, has an unparallelled reputation when it comes to DNS security and it insecurities. Needless to say this release caught the attention of many security researchers, however worrying nearly 11 years after the discovery and 6 years since Kaminsky's Ozyman tool release, this vulnerability still lives on in a number of networks. All though DNS tunnelling could be seen as way to obtain free Internet on captive portals, it is also an effective tool in data theft. However it is hard to imagine the limitations when this is mixed with shellcode's. DNS tunnelling could be used to reverse connect a shellcode from target to attacker, the tunnel's effectiveness of traversing NAT makes it a worthy deployment. The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. In addition to showing that this can be deployed from resources available on the world wide wed. The presentations aim is to show how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
External Links (support doc)
Arron M Finnon, aka "Finux" is now a full-time student at the University of Abertay Dundee's Ethical Hacking and Countermeasures BSc course, and has been involved with ethical hacking for a little over 4 years. After spending some amount of time as an independent security consultant and researcher, in 2010 finux returned to university to resume his studies. During the past 4 years, finux has produced a number of talks and delivered them throughout the UK, in addition to his passion for podcasting. During his podcasting carer he has produced over 40 shows predominately focused on security concepts and its practitioners. In 2009 he was awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software. He know runs a weekly podcast show about technology, and security matters named; Finux Tech Weekly, which can be found at www.finux.co.uk 

 

 

Name
Javvad Malik
Contact Info (e.g. email, twitter, website)

twitter.com/j4vv4d javvad at j4vv4d dot com

Preferred Stream Time (30/60/90 mins)
30
Session Title
Digital Superheroes and Security Extremists
Abstract (max 500 words)

Faster than a 50meg broadband connection

Stronger than AES256 encryption

Able to escalate privileges in a single command line...

 

In the digital world, security experts are akin to superheroes with the ability to bend the rules of the applications and infrastructure. But with great power comes .... responsible disclosure... and other challenges.

 

The threats a superhero faces against organised criminals, malware, rogue nations and end users are well documented. But a more serious and far-impacting threat lies beneath it all. The threat posed by security extremists. Those who preach a hateful ideological war against infosec professionals.

 

This slightly off the wall and slightly light hearted presentation aims to interact and engage with participants to bring to life some examples of extremist thinking and exploring how we, as security ambassadors can address these within the business community.

 

External Links (support doc)

www.quantainia.com

www.j4vv4d.com

 

Name
Miranda Mowbray
Contact Info (e.g. email, twitter, website)

miranda . mowbray at hp . com,

http://www.hpl.hp.com/people/miranda_mowbray/ 

Preferred Stream Time (30/60/90 mins)
30
Session Title
Spammers And Other Twitts
Abstract (max 500 words)

Twitter does a good job overall of policing its social network, but there are nevertheless some naughty microbloggers at large. My presentation will be about bad behaviour on Twitter, particularly – but not only – by spammers. I’ll describe the most common spamming techniques used on Twitter, based on an investigation of Twitter spam reports. I’ll explain how some of the measures used to identify spammers in Twitter anti-spam apps are circumvented by spamming software. I’ll also describe some entertaining antisocial and security-undermining behaviour on Twitter, including fake profiles, fake retweets, Twitter zombies, Twitter werewolves, randomized defamation, and fake verified account badges.


 

External Links (support doc)

http://www.hpl.hp.com

http://www.slideshare.net/hewlettpackard/twitter-cybor 

 

Name
Stephen Bonner
Contact Info (e.g. email, twitter, website)

Stephen.Bonner (at)  barclays (dot) com

@stephenbonner

Preferred Stream Time (30/60/90 mins)
60 or 90 mins (90 mins for the directors cut!)
Session Title
Information Risk Management goes to the Movies.
Abstract (max 500 words)
Stephen will present examples of the best and worst of hacking in Hollywood blockbusters and discuss how these fictional portrayals are relevant in our jobs. Bring popcorn! (NB requires high spec machine with good speakers to get the best out of the clips)

 

External Links (support doc)
www.imdb.com

 

Name
Stephen Bonner
Contact Info (e.g. email, twitter, website)

Stephen.Bonner (at)  barclays (dot) com

@stephenbonner

 

Preferred Stream Time (30/60/90 mins)
 30 mins
Session Title
How not to get hired for a security job.
Abstract (max 500 words)
Over my career in IT security hundreds of staff have applied to work for me. Many made basic and astounding errors in the process – this talk, in turns funny and depressing, looks at the common themes and how you can improve your hit rate of getting hired by avoiding the mistakes others have made.

 

External Links (support doc)
http://www.direct.gov.uk/en/MoneyTaxAndBenefits/BenefitsTaxCreditsAndOtherSupport/Employedorlookingforwork/DG_10018757
 

 

Name
Stephen Bonner
Contact Info (e.g. email, twitter, website)

[email protected] @stephenbonner

Preferred Stream Time (30/60/90 mins)
30 or 60 mins
Session Title
How not to sell me your security product.
Abstract (max 500 words)
The IT Security ‘solution’ space is full of snake oil and bogus claims. This talk dissects the worst approaches to get me to spend my security funds and highlights to technical teams on the buy and sell sides how they might do their bit to improve the process to reduce the pain.

 

External Links (support doc)
http://en.wikipedia.org/wiki/Closing_(sales) meets http://en.wikipedia.org/wiki/Cargo_cult

 

Name
Xavier Mertens
Contact Info (e.g. email, twitter, website)

xavier (at) rootshell (dot) be

@xme

 

Preferred Stream Time (30/60/90 mins)
30 - 60
Session Title
All your logs are belong to you!
Abstract (max 500 words)
Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable.

 

External Links (support doc)
http://www.slideshare.net/xme/issa-siem-fraud

 

Name
Paul Baccas
Contact Info (e.g. email, twitter, website)

paul.baccas at sophos dot com

Preferred Stream Time (30/60/90 mins)
60 mins
Session Title
The current state of PDF malware
Abstract (max 500 words)
"Traditionally, PDFs were thought of as a safe file format and during the Office macro infestation of the late 90s users got used to trusting PDFs. What went wrong with this safe format?

In the last three years malicious PDFs have jumped to promenence becoming one of the standard methods for drive-by infections. Using real world case studies the presentation will discuss the pitfalls not only of the PDF format but of PDF readers.

The presentation will also begin to answer the question of whether Adobe X is the solution and if so why do we still seeing PDF malware?"

 

External Links (support doc)

http://nakedsecurity.sophos.com/2010/10/08/malicious-pdfs-points-vb2010-presentation/
http://nakedsecurity.sophos.com/2011/01/24/review-omg-wtf-pdf/

http://nakedsecurity.sophos.com/2011/02/03/adobe-reader-x-stops-malicious-pdf-spam/
http://blog.fireeye.com/research/2011/02/omg-wtf-pdf-denouement.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+FE_research+%28FireEye+Malware+Intelligence+Lab%29

 

 

 

Name
Craig Allan-McWilliams
Contact Info (e.g. email, twitter, website)

craig at deadlybreach dot com

@deadlybreach

Preferred Stream Time (30/60/90 mins)
 30/45/60 mins
Session Title
 Underground Economy
Abstract (max 500 words)

The underground economy in the exchange of stolen personal and payment information is unfortunately thriving.

Through the presentation I will talk about the current trends and how through these trends, we can point to the future development in the attacks used by crinimal gangs online. I will demonstrate how cheap and easy it is today for a fraudster to build his toolkit, we will talk about the tools and techniques used and the relatively low cost and ease in obtaining these.
 
Once personal information is compromised, I will be demonstrating how personal information is then traded in the underground economy and the growing areas this information is being put to use. We will look at who are behind keeping this underground economy thriving and why it continues to grow despite increased awareness.


I will talk about what the security community are doing today to prevent data losses and what the future holds in this area to combat the growth of the Underground Economy.

 

 

External Links (support doc)
https://www.pcisecuritystandards.org/

http://www.itpro.co.uk/630229/panda-warns-of-cyber-black-market

 


Name 
Justin Clarke
Contact Info (e.g. email, twitter, website) 

@connectjunkie, justin (at) gdssecurity (dot) com 

Preferred Stream Time (30/60/90 mins) 
 60 minutes
Session Title 
Practical Crypto Attacks Against Web Applications 
Abstract (max 500 words) 

The science of cryptography underpins many of the information security technologies we use on a daily basis, such as the ability to keep information confidential and to ensure we can identify who we are communicating with. However, it is a very complex subject area with many types of mistakes that can reduce the overall security of a solution. A number of these types of mistakes can be identified by a penetration tester, if they know what they're looking for, but in general it isn't a well tested area.

 

This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited. Examples will include discussion and demonstration of the recently patched cryptographic padding attack against the Microsoft .NET framework (affecting ASP.NET applications) caused by a design error in how ASP.NET handles some types of encrypted data, but we will also be looking at some other fun areas including bit flipping attacks, ECB mode attacks, and some miscellaneous hashing algorithm attacks against common web application implementations.


 

External Links (support doc) 

http://www.gdssecurity.com/l/b/2010/11/18/hackers-puzzle-csaw-2010-ctf-final-round/

http://www.gdssecurity.com/l/b/2010/10/04/padbuster-v0-3-and-the-net-padding-oracle-attack/

 

 

Name 
Andrew Waite 
Contact Info (e.g. email, twitter, website) 

@infosanity

aw [at] infosanity {dot} co <dot> uk 

Preferred Stream Time (30/60/90 mins) 
30 minutes as it stands, could extend to 60 if a better fit
Session Title 
 Honeypots, what are they and why should I care?
Abstract (max 500 words) 

The use of honeypot systems and methodologies within information security go back a long way, but they are also one of the least well understood tools in a defenders toolkit. This talk attempts to provide a solid understanding of what a honeypot is and how honeypots can be beneficial when used in real world scenarios.

 

To do this the talk will cover some of the recent development in honeypot systems, including recent developments within Dionaea with the Ore interface and Kippo. Through this we'll highlight some of the results and findings found from in the wild deployments of honeypot systems, and hopefully convince everyone in the audience to head home and start setting up some sensors.

 

External Links (support doc) 

http://blog.infosanity.co.uk/category/honeypot/
dionaea.carnivore.it/

http://http://code.google.com/p/kippo/


Name 
Soraya Viloria Montes de Oca  
Contact Info (e.g. email, twitter, website) 

Geekchickuk (at) gmail (at) com

@ GeekChickUK  

Preferred Stream Time (30/60/90 mins) 
30-60 
Session Title 
You built a security castle and forgot the bridge…now users are climbing your walls 
Abstract (max 500 words) 

Every year the UK wastes millions on IT projects. There are many reasons for this and many people to point the finger at, but this is NOT the purpose of this session. In this hands-on session we will concentrate on issues we face as “Security consultants” and the part we play when designing successful secure systems.

 

I have no doubt most of my peers at this BSides are brilliant at revising code and exploiting those weaknesses; even better at firing hard and breaking down the systems … Wooo did you see that??? Your system is Cr*p” Mr Client!, but how good are we at observing the business processes and workflows, at sitting down and listening to the user and understand their functions? How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls?

 

This is not going to be a talk but a hands on session where, drawing from real examples, we will design on the spot, a technical secure solution for them. Then we’ll discuss the level of security vs usability and the risk remaining. This session’s target audience is the security professionals who want to “build” secure usable systems; or those who normally “break” but want to better understand their target environments so they can produce more effective recommendation reports. 

 

External Links (support doc) 

Dan Galoranth June 7, 2008 “Software Project Failure Costs Billions.. Better Estimation & Planning Can Help” http://www.galorath.com/wp/software-project-failure-costs-billions-better-estimation-planning-can-help.php

The Independent UL January 19th 2010 “ … computer blunders cost £26bn “ http://www.independent.co.uk/news/uk/politics/labours-computer-blunders-cost-16326bn-1871967.html

Poorly defined applications (miscommunication between business and IT) contribute to a 66% project failure rate, costing U.S. businesses at least $30 billion every year (Forrester Research)  





 

Name 
David Chismon
Contact Info (e.g. email, twitter, website) 
davidDOTchismonATmwrinfosecurityDOTcom
Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 
Debriefing a defector from biosciences
Abstract (max 500 words) 
As a molecular geneticist who recently defected to the security industry, I will be talking about some areas of the biological sciences that I think have potential applications in InfoSec. The talk will cover a wide range of ideas and techniques that span everything from networking to OS system calls. The talk will present ideas ranging from those that are already implementable, some that need further development and one probably crazy but highly exciting idea that will be of interest to code breakers. Prepare to see the world of bacteria in a new and exciting way.

 

External Links (support doc) 
 


Name 
Ian Moyse, EMEA Channel Director for Webroot 
Contact Info (e.g. email, twitter, website) 

imoyse (AT)webroot (DOT)com /

@imoyse

Preferred Stream Time (30/60/90 mins) 
60 minutes (50min + Q&A)
Session Title 
Overcoming Organisational Challenges & Barriers to Adopting Cloud Computing 
Abstract (max 500 words) 
Adopting and enabling a cloud solution into your business is more than just a technical decision, it can be an emotive and cultural one too. Too often there has been resistance amongst users and management to adopt the cloud. With Social Media proliferating how can you harness this to benefit your cloud adoption in a safe and secure manner. This presentation will look at how IT can overcome the natural scepticism in the business about cloud solutions and ideas of how to explain and overcome this. At the same time it will address the role of IT in this adoption process to become a business enabler. Let IT introduce cloud into your business in a pragmatic and successful way! What visitors will learn?

 

Visitors to this presentation will be able to take back with them:

• How to overcome the natural scepticism in Business about putting sensitive data out publicly;

• Overcoming resistance among end-users to cloud adoption; how to silence detractors and leveraged evangelists

• How cloud changes the role of IT and the skill base to become business enablers

• How to introduce cloud into your business in a pragmatic and successful way that enables IT to shine to the Business Managers

 


 

External Links (support doc) 
 Ian Moyse, Webroot EMEA Channel Director also sits on the board of Eurocloud UK and is a Member of the Cloud Industry Forum Governance Board. 



Name 
Sandro Gauci
Contact Info (e.g. email, twitter, website) 

sandro-at-enablesecurity.com / @sandrogauci

Preferred Stream Time (30/60/90 mins) 
60mins
Session Title 
Money for nothing and long distance for phree
Abstract (max 500 words) 
VoIP and security have a hard time sitting on the same sentence. This presentation will look at the trends in VoIP hacking, the attacks and state of the scene.

My presentation will feature:

a) demos how easy it is for a cyber criminal to make phone calls off vulnerable providers
b) a look at my VoIP honeypot and what it's gathering
c) how common VoIP web applications help cyber crime
d) using SHODAN for VoIP research
e) auto-provisioning security mess (i.e. download your passwords off TFTP)
f) a look at Cisco world
g) lessons learnt from developing SIPVicious

.. the list goes on and on depending on the time allocated.

My presentations feature demos and technical content for the whole family.

 

External Links (support doc) 
http://sipvicious.org
http://enablesecurity.com/blog


Name 
Brian Honan
Contact Info (e.g. email, twitter, website) 

Brian.honan-at-bhconsulting-dot-ie
@brianhonan
www.bhconsulting.ie

Preferred Stream Time (30/60/90 mins) 
60mins
Session Title 
Mankini Security - How to cover the Bare Essentials
Abstract (max 500 words) 
In an era of tightening budgets and increasing demands by the business to provide more services, information security professionals are faced with doing more with less. This talk will outline ways to implement various security solutions so that vital assets are not exposed.

 

External Links (support doc) 
 



 

 

Name 
Brian Honan
Contact Info (e.g. email, twitter, website) 

Brian.honan-at-bhconsulting-dot-ie
@brianhonan
www.bhconsulting.ie

Preferred Stream Time (30/60/90 mins) 
60mins
Session Title 
Layer 8 Security - Securing the Nut Between the Keyboard and the Screen
Abstract (max 500 words) 
Despite investing heavily in various technologies to secure their data, organisations still suffer security breaches. Many of these security breaches are not the result of a failure of the technology but of the people using that technology. Despite repeated studies showing many security breaches are down to humans deliberately or accidentally bypassing controls, we still insist on investing more money in technology and less in the people using that data. This talk will highlight what you need to consider in order to ensure people in your organisation get the message that security is everyone's responsibility.

 

External Links (support doc) 
 



 

Name 
Lizzie Coles-Kemp
Contact Info (e.g. email, twitter, website) 

Lizzie.Coles-Kemp (at)rhul (dot) ac (dot) uk

Preferred Stream Time (30/60/90 mins) 
60
Session Title 
On-line Privacy Controls: What They Don't Say
Abstract (max 500 words) 
On-line privacy controls have been the subject of much research but relatively little has been done to explore the different interactions that service users would like to have about on-line privacy. This talk presents research in this area and outlines some of the common problems that service users have with making sense of the privacy controls that are offered to them. It also contains proposals as to how on-line service design might be adjusted to resolve these issues. This research is the result of the Visualisation and Other Methods of Expression (VOME) research project which explores why service users interact with on-line privacy controls in the way that they do. The project's primary goal is to develop interaction tools to help service users make better sense of their on-line privacy protection options. VOME is funded by the Technology Strategy Board, EPSRC and ESRC.

 

External Links (support doc) 
 



Name 
Lee Hughes
Contact Info (e.g. email, twitter, website) 
toxicnaan @T gmail (dot) com
Preferred Stream Time (30/60/90 mins) 
 30 mins
Session Title 
Buffer Overflows - It's Ground hog Day!!!
Abstract (max 500 words) 
Ground hog day was a movie where the same set of events happened day after day......  

Buffer overflows, we've all seen them, we know how to look for them, we know how to fix them, we know to exploit them.
The first big documented buffer overflow was on  Vax vms in 1980. that's 31 years ago....

Can programmers be trusted to managed thier own memory spaces?
Are there alternatives, do you always need speed over safety? Why do we rely on C and C++ so much, even for code that performance is not an issue? Why do we take safe code in safe languages, and reimplement  them in unsafe languages?

Can we write safer code?.  What can we do to improve security, how do we ensure that code is safe today is safe tomorrow?., what languages are the safest?, and how do we as programmers break these safe languages..hey it's ground hog day!!!!!!!!!!

Who is to blame for this, software people? hardware people? Why can't we fix this stuff? Should we be adding more unsafe
code to help us enforce security. Do you think we need to wait another 31 years for fix?

If all else's fails why not enter anti-overflow arm's race. We lastly touch on a new experimental language which gives the flexibly and speed of C but hopefully write safer code.

Welcome to ground hog day.

 

External Links (support doc) 
 



 

Name 
Chris John Riley
Contact Info (e.g. email, twitter, website) 

@ChrisJohnRiley
http://blog.c22.cc

Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 
Scrubbing your SAP clean with SOAP
Abstract (max 500 words) 
Lets scrub that SAP clean with SOAP!

 

External Links (support doc) 
http://blog.c22.cc



 

Name 
Chris John Riley
Contact Info (e.g. email, twitter, website) 

@ChrisJohnRiley
http://blog.c22.cc

Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 

UA Tester

Abstract (max 500 words) 
Everything you wanted to know about User Agent strings but couldn't be bothered to lookup or check your self!

 

External Links (support doc) 
http://blog.c22.cc



 

Name 
Stephen Howes
Contact Info (e.g. email, twitter, website) 

andrem at gridsure dot com

Preferred Stream Time (30/60/90 mins) 
30 minutes
Session Title 
Passwords are dead – But choose their replacement with care
Abstract (max 500 words) 
The death knell for the traditional password is being rung as companies like Google and Gawker find themselves forced to introduce stronger authentication methods. But while everyone agrees that we need to move on from the archaic password with all its problems and insecurities, nobody really knows where to go from here. What viable alternatives are there and how do they work? This talk discusses the plethora of authentication technologies out there, common pitfalls, issues such as usability, user education and cost implications, and why you need to start thinking about secure authentication right now.

 

External Links (support doc) 
www.gridsure.com



 

 

Name 
Glyn Wintle
Contact Info (e.g. email, twitter, website) 

@glynwintle

Preferred Stream Time (30/60/90 mins) 
 30/60 mins
Session Title 
 Legal DDOS, London E-Counting , & Defending Your Rights - The Open Rights Group
Abstract (max 500 words) 
 The Open Rights Group is the British equivalent of the EFF. Glyn will cover some recent developments with the digital economy act, forcoming e-counting in the next London Election and some success stories from over the years.

 

External Links (support doc) 

http://www.openrightsgroup.org/

http://blip.tv/file/574494/

 



 

Name 
Glyn Wintle
Contact Info (e.g. email, twitter, website) 

@glynwintle

Preferred Stream Time (30/60/90 mins) 
 60 mins
Session Title 
 Filters Do Not Work
Abstract (max 500 words) 
 A rapid fire collection of attack methods to bypass filters. This talk will cover every thing from how to write javascript with out using any letters or numbers, why the unicode ¥ YEN-SIGN maps to \ and how null values in the IA5String used by ASN.1 can be used to bypass filters. The intention of the talk is to cover a large number of techniques, to expand the audences knowlage what types of bypass are possible and to make sure they are checking for them.

 

External Links (support doc) 

 

http://72.249.45.205/bsideslondon/FiltersDontWork.pdf

 



 

Name 
Stephen Bonner
Contact Info (e.g. email, twitter, website) 

Stephen.Bonner (at)  barclays (dot) com

@stephenbonner

 

Preferred Stream Time (30/60/90 mins) 
60 mins
Session Title 
Human Factor - not just idiot savant prime finding
Abstract (max 500 words) 
Stephen takes us beyond technology to look at the human angles of information security. Using examples from award-winning awareness material including films, a book, roadshows, podcasts and ambient media Stephen will explain how to improve end user behaviour to turn them into the best line of defence.

 

External Links (support doc) 
 
http://www.youtube.com/watch?v=plkUvKuBdj8



 

Name 
Tim Brown 
Contact Info (e.g. email, twitter, website) 

timb AT nth-dimension.org.uk

Preferred Stream Time (30/60/90 mins) 
60mins (could do in 30mins)
Session Title 
Breaking the links: Exploiting the linker
Abstract (max 500 words) 
The recent discussion relating to insecure library loading on the Microsoft Windows platform provoked a significant amount of debate as to whether Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, I felt this was unfair and responded with a blog post that sought to highlight an example of where Linux and POSIX style linkers get things wrong. Based on the feedback I received to that post, I decided to investigate the issue a little further. This paper is an amalgamation of what I learnt. As such it contains specific discoveries, my own as well as others as well as issues that are part of UNIX lore. The talk will include the following high level areas:

* What is the linker?
* The linker attack surface
* Auditing shell scripts and binaries
* Real world exploitation

 

External Links (support doc) 
 
http://www.nth-dimension.org.uk/downloads.php?id=77



 

Name 
Martin Murfitt
Contact Info (e.g. email, twitter, website) 

mmurfitt AT trustwave.com

Preferred Stream Time (30/60/90 mins) 
60 mins
Session Title 
Covertly Obvious – A Frayed Hat’s Techniques for maxing Breadth and Depth in Network Penetration Tests

Abstract (max 500 words) 
As the complexity and disparity of networks and the penetration tests that provide security assurance thereof ever increases, a penetration tester’s first responsibility to themselves is to maintain clarity of mind and stay organized to promote efficiency and quality of work. With all the power tools at your disposal nowadays , there’s one which needs constantly patching and is used to exploit everything: You. This talk will explain some simple tricks for younger dogs and also introduces some that may only seem obvious after disclosure. The talk will explain how such ‘wrapper’ utilities (which will be made available after the talk) can make all the difference to your total utility and help retain perspective effectively as the bandwidth increases.

 

External Links (support doc) 
 



 

Name 
Garry Sidaway
Contact Info (e.g. email, twitter, website) 

emilie dot starmer at integralis dot com

Preferred Stream Time (30/60/90 mins) 
 30 or 60 minutes
Session Title 
Why desktop security is irrelevant in the mobile world
Abstract (max 500 words) 
Everyone knows that mobile technologies, social media and flexible working mean that we are connected 24x7 to the enterprise, and to each other. Or do they? The latest survey commissioned by Integralis, a leading international IT security solutions provider, reveals the full extent of the security challenge in the 21st century – and the alarming fact that this new world of work seems to come as a surprise to many organisations; many of whom have no idea how to meet the challenge.
 
It is clear that the new world of work seems to have arrived unannounced and left many organisations grappling with the implications. It is also clear that, while many enterprises have the measure of the security challenge, meeting that challenge is becoming harder as devices escape company control and fall outside of its security policy.  Organisations urgently need to stop thinking about security as a desktop challenge requiring a locked-down, fortified bunker solution.  
 
The talk will discuss the challenges for CIOs and senior IT managers, and provide recommendations when engaging with the implications of the 'new working'.  'The office' is now a meaningless phrase for many people: work is wherever we find it, or it finds us.

 

External Links (support doc) 
 



 

Name 
Glenn Wilkinson
Contact Info (e.g. email, twitter, website) 
glenn (-at-)sensepost.com
Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 
Teaching Computers to Catch Hackers
Abstract (max 500 words) 
Two exciting fields in computer science are those of machine learning and computer security. The speaker finds both of these rather interesting, and would like to convince you of the same. This talk will look at clever techniques to teach computers to detect malicious activity on computing infrastructure i.e. intrusion detection systems (IDS). The speaker has conducted research on applying machine learning and artificial intelligence techniques to detecting malicious TCP traffic. He will explain where he got the 20GB of traffic to use, and how he used freely available tools (and a few Perl scripts) to teach a computer to detect a high percentage of hacker-like activity. He will also explain the shortcomings of his research, and throw out possible further work to the audience to get involved in. The research was part of his MSc in computer science from the University of Oxford.

 

External Links (support doc) 
 



 

Name 
Glenn Wilkinson
Contact Info (e.g. email, twitter, website) 
glenn (-at-)sensepost.com
Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 
Hacking Online Auctions, Mostly for Profit
Abstract (max 500 words) 
Game theory. Auction theory. Economics. Statistics. These topics may not be what first comes to mind when you`re bidding for the too-cheap-to-be-true item on your favourite auction site. However, they have significant use in the understanding of (and for our purposes, exploiting) online auction sites such as eBay or BidOrBuy. This talk will introduce various auction models and discuss how these classic models have been adapted to the digital age. It will examine the evolution of online auction algorithms, discussing how the algorithms and model parameters have been continuously updated in a battle between auctioneers and malicious bidders. A fairly recent model of online auction is that of the the penny auction. Unlike your standard english auction model used by eBay, in penny auctions each participant pays a non-refundable fee to place a small bid increment (usually one cent or penny). When time expires, the last participant to have placed a bid wins the item and also pays the final bid price, which is usually drastically lower than the retail price of the item (e.g. an XBox 360 and accessories going for R24.43). The outwards appearance of the item going for an extremely cheap price is an illusion, and the site owner makes a tidy profit from all the non-refundable bids. The speaker aims to investigate exploiting both the penny auction model, and specific penny auction sites.

 

External Links (support doc) 
 



 

Name 
Alex Cox
Contact Info (e.g. email, twitter, website) 
www.netwitness.com
Preferred Stream Time (30/60/90 mins) 
60 mins
Session Title 
Kick Ass Zero-Day Malware Hunting – Putting Aside the Obvious
Abstract (max 500 words) 

The hallowed ground of kick-ass, targeted and zero-day malware hunting previously has been reserved for the few security researchers who either were lucky enough to stumble upon something
truly unique, or those who spend their time collecting and reversing large amounts of samples from lots of fed up public and private enterprises whose useless anti-malware solutions had completely
failed. In a world where incident response team members responsible for finding bad juju on enterprise networks are fighting a seriously uphill battle, we can’t spend anywhere from 2 to 4 hours analyzing each piece of suspect malware. Real-time / runtime analysis on suspect binaries on the host is challenging due to injection, hooking, and other adversarial subversion techniques. Static analysis on the
host is equally a pain because static traits of packed and obfuscated malware too closely matches those of legitimate binaries. Looking up all kinds of information across the global security community is
valuable – but what really matters? And what about sandboxing? – what are the pros and cons and dos and don’ts? This technical session will show B-Sides London attendees how to up their game and dramatically
shrink the time required to identify and prioritize zero-day and targeted malware using a combination of four automated techniques: file (static) analysis, network forensics, community reputation and
sand-boxing. The use of the “kick ass malware hunter” title following completion of this session is optional, but highly recommended.

 

External Links (support doc) 
 



 

 

Name 
Ryan Jones
Contact Info (e.g. email, twitter, website) 

ryan (dot) jones _at_ Trustwave (dot) com

Preferred Stream Time (30/60/90 mins) 
30 mins
Session Title 
Real world forensic investigations brought to light: Case study
Abstract (max 500 words) 
This talk will follow a forensic investigation into a pan-European company who suffered a data compromise in 2010. The talk will discuss:

·         Alerting – How the company became aware of the compromise?
·         Background – What did the investigators find when they arrived at the scene?
·         Investigative decisions – How did the investigators decide how to progress?
·          Forensic Imaging – The data acquired from computers, the network and surveillance software throughout the project
·         Forensic Investigation – The investigative work carried out on the collected data.
·         Conclusion – What actually happened?
·         Vulnerabilities – How could the company have stopped this happening?
·          Problems – In what way was the company unprepared for the investigative work?
·         Lessons – What can you do to make sure you give investigators the best chance of success?

The talk will draw upon the 2011 Trustwave Global Security Report to contrast the investigative work and vulnerabilities with what Trustwave see on a Global scale. This will give context to the problems faced by the company in question. The investigative hurdles encountered are certainly not unique to this company.

The talk will be presented by Ryan Jones, Principal Consultant, Incident Response, SpiderLabs EMEA. Ryan has lead data compromise investigations into a wide range of businesses from small web based stores to multinational retailers and will provide his first-hand knowledge to supplement the big picture presented by the Global Security Report.

 

External Links (support doc) 
 
https://www.trustwave.com/GSR



 

Name 
Chris John Riley
TheSuggmeister
Arron "finux" Finnon
Frank Breedijk
Contact Info (e.g. email, twitter, website) 

 

Preferred Stream Time (30/60/90 mins) 
60 mins
Session Title 
Security YMCA
Abstract (max 500 words) 
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....

 

External Links (support doc) 
 



 

 

 

Comments (0)

You don't have permission to comment on this page.