0.7 bsides-london-2024 2024-12-14 2024-12-14 1 00:05 https://cfp.securitybsides.org.uk https://cfp.securitybsides.org.uk/media/bsides-london-2024/img/Bsides_David_2_XpG0Hu6.jpg Europe/London Clappy Monkey Track Talk 2024-12-14T10:00:00+00:00 10:00 00:45 Ever tried to get a callback from a client device only to be continually thwarted by their EDR, so you then have to ask for an exclusion to be placed on a specific folder? Join Red Teamer David Kennedy as he walks you through a novel way of approaching this conundrum by (ab)using trusted binaries that EDR’s normally pay very little attention to. This presentation will cover the execution of these trusted binaries on Windows as well as running them in ways that even the original developers haven’t advertised as being possible via ‘undocumented features’ within their code! With these techniques, struggling to get access to your client’s infrastructure should hopefully become a thing of the past or at least until these binaries are no longer trusted! bsides-london-2024-56941-byotb-bring-your-own-trusted-binary Main talk track David Kennedy en Security professionals are locked in a constant cat-and-mouse game with attackers who continuously find creative ways to bypass modern defences. One such technique is Bring Your Own Trusted Binaries (BYOTB)©, where attackers use legitimate, signed or checksum verified binaries which may not be present on the host machine to achieve their aims. Since these binaries are oftentimes trusted by the OS and EDR solutions, they are less likely to raise red flags, providing attackers with a stealthy way to circumvent traditional security mechanisms. This session will explore how the BYOTB technique works, some examples of trusted binaries and why they are so effective at bypassing EDR solutions. I'll cover: - Understanding the BYOTB idea: I will explain which trusted binaries are used and how they can provide access to external adversaries and testers alike. - EDR and Firewall Evasion Tactics: I will demonstrate how adversaries leverage trusted binaries to exploit gaps in EDR detection as well as bypassing modern firewalls. - Detection and Mitigation Strategies: The concluding section of the talk will focus on defensive measures. I’ll discuss practical detection techniques, including monitoring the usage of known binaries, and implementing tighter security controls around execution policies for certain trusted binaries. This talk is geared towards a technical audience, including Red Teamers and Pentesters looking to understand how to exploit these techniques as well as Blue Teamers interested in improving their detection and mitigation strategies. Attendees will leave with actionable insights into how they can detect BYOTB techniques in their environments, as well as best practices for preventing such attacks from slipping through the cracks. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/WZXUTA/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/WZXUTA/feedback/ Clappy Monkey Track Talk 2024-12-14T10:55:00+00:00 10:55 00:45 Indirect Prompt Injection (IPI) is a fascinating exploit. As organizations race to capitalize on the hype surrounding AI, Large Language Models are being increasingly integrated with existing back-end services. In theory, many of these implementations are vulnerable to Indirect Prompt Injection, allowing cunning attackers to execute arbitrary malicious actions in the context of a victim user. In practice, IPI is poorly understood outside of academia, with few real-world findings and even fewer practical explanations. This presentation seeks to bridge the gap between academia and industry by introducing the Indirect Prompt Injection Methodology - a structured approach to finding and exploiting IPI vulnerabilities. By analyzing each step, examining sample prompts, and breaking down case studies, participants will gain insights into constructing Indirect Prompt Injection attacks and reproducing similar findings in other applications. Finally, the talk will cover IPI mitigations, elaborating on why this vulnerability is so difficult to defend against. The presentation will provide practical knowledge on securing LLM applications against IPI and highlight how this exploit poses a major roadblock to the future of advanced AI implementations. bsides-london-2024-55834-the-practical-application-of-indirect-prompt-injection-attacks-from-academia-to-industry Main talk track David Willis-Owen en For further clarity on any sections, please refer to my white paper: https://www.researchgate.net/publication/382692833_The_Practical_Application_of_Indirect_Prompt_Injection_Attacks_From_Academia_to_Industry ---------------------------------------------------------------------------------------- 1. PROMPT INJECTION - THE PROBLEM AFFECTING ALL LLMS ----------------------------------------------------------------------------------------- Definition - Prompt injection was originally used to describe attacks where untrusted user input was concatenated with a trusted prompt in an application. - The definition has expanded to include any prompt that causes an LLM to perform harmful actions - to avoid confusion, the latter definition will be used in this presentation. The Problem - All LLMs are vulnerable to prompt injection! - In web application security, the most effective way to prevent injection attacks is to maintain a small allowlist of known safe input values. - Applying this to LLMs would render them functionally useless - the value of LLMs comes from being able to answer any query. - Instead, organizations like OpenAI are training LLMs to detect and block common prompt injection techniques. - Attackers can easily formulate new techniques since they can use any characters and words to craft prompt injections. ------------------------------------------------ 2. INDIRECT PROMPT INJECTION ------------------------------------------------ Attack Sequence - Breaking down the anatomy of an indirect prompt injection attack as follows, along with a diagram: 1. An attacker injects a malicious prompt into a resource which they know LLMs will read from. 2. A victim user asks an LLM to read from this resource. 3. The LLM visits the resource and reads in the malicious prompt. 4. The LLM performs the actions specified in the malicious prompt. - When an LLM reads in data from an attacker-injectable source, the chat should be considered COMPROMISED, since it may contain a malicious prompt. Impacts - The main impacts of regular prompt injection are generating harmful content - which only negatively impacts an LLM provider's reputation - and attacks launched against an application or service that ingests an LLM's input or output. - The main impacts of IPI are socially engineering a user by instructing the LLM to provide misleading information to the victim or performing arbitrary actions on behalf of users. The latter impact is more interesting and will be the focus of the remaining presentation. - The impact of an Indirect Prompt Injection attack directly depends on the actions an LLM has access to perform. Actions can be chained to cause a greater impact. Vulnerability Criteria 1. Can an attacker inject into a source the LLM will read from? This can be a public source, e.g. a social media comment, or it can be a victim's private source which an attacker can send data to, e.g. an email inbox. 2. Can the LLM perform any actions that could harm a user? Consider any actions that could impact the CIA triad of a user's data, e.g. deleting a victim's GitHub branch. 3. Can the LLM perform this harmful action after reading from the injectable source? LLMs can do this in most cases, but developers may implement logic to prevent this from happening as IPI attacks become more prevalent. ------------------------------------------------------------------------ 3. INDIRECT PROMPT INJECTION METHODOLOGY ------------------------------------------------------------------------ This section introduces the Indirect Prompt Injection Methodology, along with a diagram. In the presentation, sample prompts will be attached for each relevant step: Explore the attack surface 1. Map out all harmful actions the LLM has access to perform - Ask the LLM to provide a list of all functions it can invoke. Analyze the list and write down the harmful actions. 2. Map out all attacker-injectable sources the LLM can read from - Ask the LLM to provide a list of all data sources it can read from. Analyze the list and write down the sources you could inject a prompt into. 3. Attempt to obtain the system prompt - Ask the LLM to provide the statements programmed into it by its developer, allowing you to see any verbal guardrails that you may need to bypass. Craft the exploit For each source-action pairing: 4. Determine if the LLM can be pre-authorized to perform the action - Certain LLMs may ask the user to approve an action before carrying it out. By tailoring the prompt you may be able to provide pre-approval, convincing the LLM to carry out the action without delay! 5. Inject a more persuasive prompt into the source - The indirectly injected prompt needs to be made more convincing to an LLM since it will carry less conversational weight than the user's initial request. By emphasizing key parts of the prompt with mock Markdown, repeating sentences, and tailoring the prompt semantics to the observed behavior, you can craft a successful exploit. These techniques will be clearly showcased in the presentation. 6. Ask the LLM to read from the source and observe if the action occurs - Simulate a plausible user query, e.g. "visit this URL: {url}". The LLM should read from the injected source and carry out the actions set out in the prompt injection. Refine the prompt 7. Repeat steps 5 and 6, iteratively modifying the prompt until the attack is successful - If the attack is unsuccessful, systematically make small changes until you achieve success. A table will be provided in the presentation to facilitate this process. ------------------------------------------------------------------------------- 4. CASE STUDY - MAVY GPT CALENDAR EXFILTRATION ------------------------------------------------------------------------------- Background - Mavy GPT is a personal assistant on the GPT Plus store that allows people to send emails and view their Google calendars by hooking into Google APIs. Applying IPIM - This is a walkthrough of each step in IPIM, applied to MavyGPT. Screenshots for each step are provided: 1. Map harmful actions - I obtained a list of 7 actions, considered the impact of each and noted down "Send Email" as potentially harmful. I recorded the associated function call. 2. Map injectable sources - I obtained a list of 3 actions that read from injectable sources and noted down "Google Calendar" as an injectable source. 3. Obtain the system prompt - I asked Mavy for its system prompt and it immediately complied - I noted this down. 4. Determine if LLM can be pre-authorized - I pasted the function call from earlier and Mavy complied immediately. 5. Inject a more persuasive prompt - I considered a potential attack chain - asking Mavy to summarize all user events in the Google Calendar, then asking it to email this to me. I iterated several times to craft a prompt that allowed me to execute the chain. This will be provided in the presentation, along with a breakdown of each sentence in the prompt. 6. Ask LLM to read from the source - I sent a calendar invite containing the prompt injection as its description to the mock victim, then asked Mavy to print the event description in the victim's session. As expected Mavy summarized all events in the calendar and emailed them back to me. Video evidence will be provided, serving as a POC and a demo. Impact - Many users store private information in their calendars such as locations, relative names, and even credentials. An attacker could sell this information or use it to launch further attacks. ------------------------------------------------------------------------------------- 5. INDIRECT PROMPT INJECTION PRACTICAL MITIGATIONS ------------------------------------------------------------------------------------- Instruction Hierarchy - Proposed by OpenAI earlier this year - treats externally ingested data as lower-privileged. - Shows an improvement against prompt injection benchmarks, but can be bypassed by crafting better payloads. Human-in-the-loop - A human has to approve each action an LLM will take. Theoretically, this prevents any unwanted actions. - Implementing this effectively causes a poor user experience, making developers unlikely to use it properly. No Actions After Reads - Server-side logic which prevents any actions from occurring after an LLM has ingested external data. - This compromises the functionality of an LLM, again worsening user experience. Mitigation Summary - Current mitigations are either not 100% effective or severely impact user experience, making Indirect Prompt Injection difficult to defend against. ---------------------------- 6. LOOKING AHEAD ---------------------------- The Future of Indirect Prompt Injection - IPI is a serious issue - the same techniques outlined in IPIM could be used to exploit future AI implementations linked to critical infrastructure, leading to devastating impacts. - Human-in-the-loop or "no actions after reads" could be implemented, but this would limit the value of these AI implementations by stripping their autonomy. Application and Future Development of IPIM - IPIM will be maintained and updated on GitHub to ensure its continued relevance in the AI space. ----------------------- 7. CONCLUSION ----------------------- - IPI is a serious issue - IPIM bridges the gap between academia and industry, improving awareness of IPI and contributing to the future of AI Security. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EHBRYZ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EHBRYZ/feedback/ Clappy Monkey Track Talk 2024-12-14T11:50:00+00:00 11:50 00:45 After introducing the Bsides audience to the Fligistan Intelligence Bureau at Bsides Cymru 2024, we wanted to expand that for the London audience by diving deep into the world of Cyber HUMINT. This talk will delve into how Fligistan deploys tactics, technologies, people and processes, and then pivot to how we can use that knowledge, as cyber practitioners, to gain insight for our own defenses and offensive security. bsides-london-2024-55716-cyberhumint-recruit-deceive-exploit Main talk track Tony GeeHugo Page-Turner en At Bsides Cymru we introduced the audience to what modern intelligence apparatus looks like using the fictional country of Fligistan. This talk builds upon that and focuses on Cyber HUMINT, the fusion of traditional human intelligence (HUMINT) with cyber operations. It is a powerful tool for both attackers and defenders. In this talk we explore how CyberHUMINT exploits human vulnerabilities, leverages social engineering, and manipulates insider threats, leading to significant risks such as data breaches or disclosure of corporate secrets. We’ll examine real world examples where adversaries use remote working job opportunities for infiltration, platforms like LinkedIn for agent recruitment, using avatars for covert dark web operations, and psychological manipulation through bot farms and psyops to influence and deceive organisational and military targets. We will also delve into how behavioral analysis and patterns of life in computer networks and subcultures can help to identify malicious actors early. Attendees will gain actionable insights on how to recognise and mitigate insider threats, as well as the critical role CyberHUMINT plays in understanding patterns of life and digital behaviour. Whether you’re part of the Fligistan red team, social engineering corps, or an intelligence analyst, this session will equip you with the tools to protect your organisation from advanced human and cyber-based threats. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HYSYLN/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HYSYLN/feedback/ Clappy Monkey Track Talk 2024-12-14T12:55:00+00:00 12:55 00:45 In modern web architectures, SSRF vulnerabilities have become increasingly difficult to exploit due to sophisticated defense mechanisms. This presentation introduces SSRF² - a novel technique that challenges fundamental assumptions about trust boundaries by using the same SSRF primitive twice across different security contexts. Through real-world discoveries, we demonstrate how a seemingly limited SSRF primitive, when used twice, can bypass an entire security stack designed to prevent internal access. What makes this technique particularly powerful is its ability to transform restricted blind SSRF vulnerabilities into critical security breaches without complex chains or extensive reconnaissance. bsides-london-2024-54601-ssrf-breaking-trust-zones-through-self-reference Main talk track Guy Arazi en This talk introduces a groundbreaking approach to SSRF exploitation that fundamentally changes how we think about trust boundaries and security contexts. Rather than focusing on finding new SSRF vectors, we'll demonstrate how using the same primitive twice can bypass sophisticated security controls including URL rewrite rules, origin validation, and network segregation. Key takeaways: - How a single SSRF primitive can be leveraged across different security contexts - Why position matters more than payload in modern architectures - Real-world examples of bypassing Kubernetes API protections - Turning blind SSRF into critical internal access - New methodology for approaching SSRF research Through live demonstrations and real-world cases, attendees will learn how traditional security controls can fail when the same primitive operates across different trust contexts. This research provides valuable insights for both offensive security researchers looking to expand their methodology and defenders implementing trust boundaries. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LV7GFV/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LV7GFV/feedback/ Clappy Monkey Track Talk 2024-12-14T13:50:00+00:00 13:50 00:45 Let’s face it: ransomware operators are the digital villains we all love to hate. But what if I told you there's a way to outsmart these cybercriminals by using their own tools against them? Join me in taking the red pill, to find out about the "Ransomware Tool Matrix," your new secret weapon in the fight against cyber extortionists. bsides-london-2024-55533-inside-the-ransomware-toolbox-how-to-beat-cybercriminals-at-their-own-game Main talk track Will Thomas en In this session, we will at into the inner workings of ransomware gang attack paths and unpack the exact sets of tools they use to wreak havoc. Imagine having a cheat sheet that tells you exactly what the cyber baddies are up to before they even hit your network. Sounds like a game-changer, right? We will find out how this matrix can supercharge your threat hunting, boost your incident response game, and help you simulate attacks just like the pros. But it’s not all smooth sailing—we’ll also talk about the tricky bits, like figuring out if a tool is being used by a cybercriminal or just your IT team. Why should you join? Because you'll walk away with: - Insider knowledge on the tools and tactics of the biggest ransomware gangs. - Practical tips to turn these insights into action—detect, block, and stay ahead of attacks. - A fresh perspective on using intelligence to not just survive, but thrive in today’s threat landscape. - Whether you’re a seasoned defender or just stepping into the world of cybersecurity, this talk will arm you with the strategies to beat these pesky cybercriminals at their own game. Come ready to learn, laugh, and leave with a whole new set of ideas to take back to work. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RHQA9X/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RHQA9X/feedback/ Clappy Monkey Track Talk 2024-12-14T14:45:00+00:00 14:45 00:45 In today's rapidly evolving digital landscape, cybersecurity professionals are constantly seeking innovative strategies to protect their systems. Surprisingly, some of the most powerful lessons can be found in a place often overlooked—the garden. This talk, "From Garden to Grid," draws thought-provoking parallels between gardening practices and cybersecurity strategies, offering a fresh perspective on how we can cultivate a more resilient and adaptive approach to protecting our digital environments. By exploring key principles such as nurturing growth, pruning for efficiency, building resilience, and harvesting success, this presentation will highlight actionable insights that cybersecurity professionals can apply to their daily work. The talk will delve into topics such as continuous learning and innovation, streamlining security processes, safeguarding systems against threats, and celebrating wins by measuring key performance metrics. Attendees will leave with a deeper understanding of how these natural principles can inspire a sustainable, secure, and forward-thinking cybersecurity strategy. This session will benefit cybersecurity professionals seeking to enhance their strategic approach by embracing a mindset that encourages adaptability, efficiency, and resilience—qualities essential for thriving in both the digital and natural worlds. bsides-london-2024-55907-from-garden-to-grid-lessons-from-gardening-for-a-resilient-cybersecurity-strategy Main talk track Becky Hall en In an increasingly complex digital world, cybersecurity professionals are continuously looking for new ways to strengthen their defenses and build resilient systems. This talk, "From Garden to Grid," introduces a fresh and unexpected perspective by exploring how the principles of gardening can be applied to cybersecurity to create stronger, more adaptable strategies. Drawing parallels between gardening practices—such as nurturing growth, pruning for efficiency, building resilience, and harvesting success—and essential cybersecurity approaches, this session will provide practical, actionable insights for security professionals. Attendees will learn how: Continuous learning and innovation, akin to nurturing a garden, can foster growth in security practices. Pruning unnecessary or outdated systems, much like trimming overgrown plants, can streamline security operations and reduce vulnerabilities. Building resilience through backup systems and response plans mirrors the way gardeners protect plants from external threats. Measuring success and reflecting on achievements, just like harvesting in gardening, ensures sustained cybersecurity effectiveness. Through relatable analogies and real-world examples, this session will inspire attendees to rethink their cybersecurity strategies with a focus on adaptability, efficiency, and long-term sustainability. Perfect for professionals at all levels, this talk will equip participants with the tools and mindset needed to cultivate a digital environment that thrives in the face of emerging threats. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/GXUA37/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/GXUA37/feedback/ Clappy Monkey Track Talk 2024-12-14T15:40:00+00:00 15:40 00:45 Criminal groups rely on phishing web panels to manage their campaigns and interactions against ordinary people. Due to its nature, information showing the details and complexity of these platforms is not widely available. In this presentation, we will delve into the strategies and methodologies for infiltrating and commandeering the web panels used by phishing groups to manage their campaigns against ordinary people. bsides-london-2024-55862-inside-the-phish-tank-a-guide-to-compromising-phishing-infrastructure Main talk track Vangelis StykasFelipe Solferini en We will demonstrate how to leverage these vulnerabilities to gain unauthorised access to their phishing infrastructure. This can be used to gather intelligence to help identify the threat actors operating these panels, disrupt their operations, and minimise the damage caused to their victims. Through this session, we aim to provide valuable insights and encourage proactive, ethical approaches to combating cyber threats. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/DAM993/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/DAM993/feedback/ Clappy Monkey Track Talk 2024-12-14T16:35:00+00:00 16:35 00:45 ATT&CK is a game changer and where it works, it can enable both blue and red teams to co-exist and work effectively together. However, what do attackers on Linux do when bitcoin miners aren't their motivation? This talk looks at how the linux-malware repo came to take shape and how I've used it to inform both MITRE and Cisco's view on adversarial behaviour over the last three years. bsides-london-2024-56921-building-the-att-ck-pipeline-for-linux Main talk track Tim Wadhwa-Brown en The session will cover: * Introducing linux-malware - what is it and why might both red and blue want to pay attention? * Automating the TI pipeline - applying custom analytics to someone else's DFIR report? * What new threats should you worry about and why - Linux is unhackable, right? * Building better detections - how can you figure out whether you're exposed? Takeaways will include: * A summary of the Linux threat landscape * Just because we're not looking for the bad guys, doesn't mean they're not there * Attackers will use the easiest TTP that gets them to a root prompt * If you're running adversary simulations, here are some non-Windows TTPs you should consider * If you're playing defence, this is how you develop behavioural IOCs and tools to leverage them false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AFDMQM/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AFDMQM/feedback/ Track 2 Talk 2024-12-14T10:00:00+00:00 10:00 00:45 Our talk introduces an innovative framework for automating the identification and handling of malware samples targeting web servers, leveraging big data analytics and machine learning to cluster and track active malware campaigns. We will demonstrate an innovative and unique framework that employs heuristic analysis to autonomously identify and process web-delivered malware samples. This framework enhances the efficiency and accuracy of malware detection in large data sets, reducing the reliance on manual intervention, and enabling near real-time threat hunting, and campaign tracking. Building upon the collected malware data, we utilize big data analytics techniques to track and monitor malwares, cluster similar malware samples and associated network activity, to unveil patterns and connections between various campaigns. This clustering approach provides deeper insights into the tactics, techniques, and procedures (TTPs) employed by threat actors, facilitating the identification of overarching strategies and objectives. We will conclude with a detailed analysis of notable real-world malware campaigns identified through this system. Attendees will gain insights into the operational methodologies of these campaigns, their impact and the defensive measures that can be employed. Case studies will highlight real-world applications and the effectiveness of our automated approach in enhancing cybersecurity posture. bsides-london-2024-55596-unmasking-apt-malware-activity-real-world-malware-campaign-tracking-using-big-data-analytics-and-machine-learning-clustering Main talk track Daniel JohnstonOri Nakar en In this talk we will conduct a deep dive into the framework we developed for automating the identification and handling of malware samples targeting web servers, it will consist of four parts: Part 1: Introduction - Provide a baseline understanding of how threat actors can leverage web vulnerabilities to deploy malware. - Introduce the challenge of identifying, clustering and tracking malware data in the real world. - Introduction to the data we collect, with a focus on the real-world malware data we track. - Discuss what can be gained by effectively identifying and tracking malware campaigns in real world scenarios. Part 2: Automated Malware Handling - Explain and demonstrate the framework we developed to automate the handling of web-delivered malware samples, including: 1. Identification of malware delivery using RCE attacks against web applications. 2. Safe downloading, storing and analysis of identified samples using a sandboxed environment. 3. Importing sample information to enrich existing data. Part 3: Clustering of Malware data and Anomaly Detection - Using big data analytics to aggregate data from multiple cloud regions, and calculate distances for clustering - Demonstrate a novel open source tool we developed, for counters collection, aggregation and anomaly detection powered by an SQL engine and cloud functions - Explain how the tool utilizes advanced detection methods for trends and patterns in the malware data Part 4: Identified Campaigns Review several campaigns detected by the framework, including: - Sysrv Botnet: How we identified and correlated events related to activity of the Sysrv botnet, uncovering new attack vectors and TTPs. (https://tinyurl.com/sysrvb) - AndroxGhost: How we identified AndroxGh0st malware activity, and were able to provide previously undocumented TTPs and attack vectors augmenting a previously published report by CISA. (https://tinyurl.com/axghost) - TellYouThePass: How we quickly uncovered a malicious campaign to deliver TellYouThePass ransomware leveraging the new PHP vulnerability CVE-2024-4577. (https://tinyurl.com/tytpr) - 8220 Gang: How we exposed new tactics and vectors utilized by the well-known threat actors 8220 Gang. (https://tinyurl.com/8220gang) - APT29: How we were able to identify and track activity from the Russian APT specifically targeting Polish Government domains to drop RAT Malware (unpublished) Atendees can expect the following takeaways: 1. Utilizing a combination of automation, big data analytics, and anomaly detection allows you to effectively identify and track cyber attacks. Usage of common tools like cloud data lakes and managed query engines can make such tasks quick and efficient. 2. Many threat actors, including APT groups, commonly use web vulnerabilities to target nation states and propagate dangerous malware. This activity can be consistently detected using the demonstrated framework. 3. Identification, correlation and tracking of malware campaign activity is of interest to a wide demographic within the security community, we aim to provide a useful set of ideas and tools to assist with this difficult problem. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7GAQNS/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7GAQNS/feedback/ Track 2 Talk 2024-12-14T10:55:00+00:00 10:55 00:45 In cybersecurity, Black Swan events are seen as rare, high impact threats or attacks from unknown or neglected vectors, that post event are rationalised as predictable in hindsight despite being unforeseen at the time. Our role in Cybersecurity is to help organisations prepare for the worst but how can we prepare for unpredictable, rare, high impact events? This talk will examine some real-world Black Swan breaches and then discuss approaches company's can take to prepare for them. bsides-london-2024-56708-to-you-its-a-black-swan-to-me-its-a-tuesday Main talk track David V. en This talk takes a real-world look at how red teams help organisations prepare for incidents. Starting with a light touch review of real-world high impact "black swan" breaches to show why we should try to do such testing. We will then look at how we can design red team engagements to test similar high impact scenarios, and what skills are needed to deliver such testing. We will finish off the talk with looking at the practical steps we can advise organisations to take to prepare for the worst. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/8Z8VTW/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/8Z8VTW/feedback/ Track 2 Talk 2024-12-14T11:50:00+00:00 11:50 00:45 Ever wondered how your smart toothbrush or connected garden rock stays secure in our digital world? As the Internet of Things (IoT) brings connectivity to everyday objects—from cars to clothing—it's more important than ever to keep these devices safe from cyber threats. But here's the challenge: many IoT gadgets run on tiny chips called Systems on Chip (SoCs) that don't have the power of full-sized computers, making them uniquely vulnerable. In this presentation, I'll guide you through the fascinating world of hardware/software binding—a key technique that ensures only authorized software runs on specific hardware. We'll explore how this practice helps protect IoT devices by linking software tightly to the hardware it runs on, preventing unauthorized code from sneaking in. We'll look at different SoCs used in IoT devices, discuss SoC architecture, review the security methods provided (or not) by manufacturers, and dive into some cool techniques from research and industry. Don't worry if you're new to this—I'll break down the jargon and share practical insights from my own experiences in software development and security. Plus, I'll introduce a handy questionnaire you can use when choosing SoCs for new products, helping you evaluate their security features with confidence. Whether you're just starting out in cybersecurity or simply curious about how to keep our connected world safe, this talk will give you the understanding and tools to make a real difference. bsides-london-2024-57019-software-security-issues-for-small-iot-socs Main talk track Stephen Cravey en As the Internet of Things (IoT) weaves itself into the fabric of our daily lives—from smart toothbrushes and connected cars to wearable tech and home gadgets—the security of these devices becomes more critical than ever. This presentation offers a friendly and accessible introduction to IoT security, focusing on Systems on Chip (SoCs) and the essential practice of hardware/software binding. It is based on my dissertation for the MSc Information Security program at RHUL. We'll explore: IoT and SoCs Demystified: Understand what IoT and SoCs are, and how they power the devices we use every day. Unique Security Challenges: Learn about the vulnerabilities inherent in IoT devices due to their limited computational resources. Hardware/Software Binding Concepts: Discover how binding software to hardware (and vice versa) prevents unauthorized access and enhances security. Binding Methods and Solutions: Review current approaches from manufacturers and innovative solutions from academic and industry research, including their risks and limitations. Physically Unclonable Functions (PUFs) and Hardware Security Modules (HSMs): Get introduced to these advanced security mechanisms and their practical applications in IoT devices. Selecting Secure SoCs: Gain practical tips on choosing the right SoCs for new products, with examples of affordable development kits (often under £10) that make this field accessible to all. Security Evaluation Tool: Receive a handy security questionnaire designed to help you assess SoCs for product development and understand governance and lifecycle considerations. Whether you're a beginner cybersecurity enthusiast, a developer looking to build secure products, a red teamer interested in potential attack surfaces, or simply curious about the gadgets around you, this session will equip you with the knowledge to make informed decisions and contribute to a safer, more secure IoT ecosystem. Join us to explore how we can collectively enhance security in our increasingly connected world. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/PHX7TQ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/PHX7TQ/feedback/ Track 2 Talk 2024-12-14T12:55:00+00:00 12:55 00:45 This talk examines how 96 threat actors disclosed their systems, logs, and tools in open directories, providing unique insights into their tactics and operations in real-time. bsides-london-2024-56959-what-s-inside-the-open-directory-from-96-different-threat-actors Main talk track Alana Witten en Understanding the TTPs used by threat actors is often only done after an incident when the damage is done, made from inferences of what they allow us to see. What if analysts had full access to exactly how these actors operate: the commands they ran, their targets, accurate geolocations, tools, and more. Luckily, over the last few years, 96 brazen threat actors, ranging from script kids to alleged APTs, made the decision to publish their systems, bash_history, log files, configs, source code, and more in open directories. Hopefully this talk begins to explore such open data. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/DBRFFP/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/DBRFFP/feedback/ Track 2 Talk 2024-12-14T13:50:00+00:00 13:50 00:45 With CI/CD pipelines driving modern DevSecOps, ensuring they don't become attack vectors is a shared concern across organisations. This talk introduces a new perspective focusing on provable CI/CD security, while steering away from securing pipelines directly. Maintain compliance, ensure visibility, and prevent potential threats from compromising critical systems by focusing on what really matters. bsides-london-2024-55826-is-your-approach-to-pipeline-security-flawed-rethinking-ci-cd-security Main talk track Patricia R en With DevSecOps becoming the standard, CI/CD pipelines have become the backbone of software development and deployment, running thousands of times a day. Each pipeline executes critical tasks such as building, testing, and deploying code - often leveraging automation and guardrails to ensure quality and security. Tools that integrate in pipelines promise to help. But what exactly is a pipeline? What systems and resources does it interact with? And most importantly, how can we ensure that no pipeline becomes a pivot point for an attacker to compromise our most valuable systems? Can we be confident pipelines are running what we expect and providing the necessary data for other processes? These questions point to a (perhaps overlooked) concept: Protected Resources. In this talk, we will explore how shifting to a new mindset could enhance visibility into pipelines, ensure adherence to security protocols, and prevent pipelines from becoming attack vectors. We'll delve into practical strategies to gain observability, improve compliance, and better secure your CI/CD system in the age of DevSecOps. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P8GMHQ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P8GMHQ/feedback/ Track 2 Talk 2024-12-14T14:45:00+00:00 14:45 00:45 Embedded systems are everywhere, automating more and more of our everyday lives. Our cars, phones, games consoles, industrial controllers and IoT devices increasingly require security mechanisms to protect their security configurations, and in some cases, stored secrets, such as cryptographic keys, debug/flash protection access mechanisms, firmware images, and AI models. For a long time, local, physical attacks on general purpose microcontrollers were considered out of scope during threat analysis, but the increase in value of breaking the device security protections, the decrease in cost of the attacks, and the increase in awareness of such attacks, means that we’re in a transitional state regarding protection against fault-injection. bsides-london-2024-56748-roll-your-own-vulnerabilities-an-introduction-to-fault-injection-for-exploiting-bug-free-code-in-embedded-systems Main talk track @barsteward en This talk will introduce attendees to fault-injection, a local attack category which is often used as the first step in the attack chain for embedded systems, and in some cases can also lead to remote attacks. It will cover the techniques which attackers use to generate security violations such as bypassing read protection, secure boot, or debug protection in embedded systems, even when the code is completely free of bugs. You will learn about the attacker motivations, tools and techniques, as well as the methods used to harden devices against these attacks, and how increased public awareness, certification, and regulation is changing the landscape. You will see how the cost of the equipment needed is often very low, and learn how you can begin your “glitching” journey for under £20. We will look at the fault-injection mitigations added in the Raspberry Pi Pico 2, and consider their efficacy - there is currently a $20,000 bug bounty available for breaking these protections leading to recovery of a secret stored in the One-Time-Programmable flash memory. We shall also touch upon side-channel analysis, which can recover cryptographic keys in use through measurement and analysis of tiny power fluctuations, or even by using a coil to pick up electro-magnetic emanations. Keywords/phrases: - Embedded Systems - Microcontrollers - Hardware Attacks - Fault-Injection - Voltage Fault Injection (VFI) - Electro-Magnetic Faul Injection (EMFI) - Clock Fault Injection (CFI) - Risk Assessment - Threat Modelling - Automotive - Industrial Control Systems - IoT - Mitigation Strategies - Raspberry Pi Pico 2 - Side-Channel Analysis false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EHRQSN/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EHRQSN/feedback/ Track 2 Talk 2024-12-14T15:40:00+00:00 15:40 00:45 This Talk is Important—very important—for the cybersecurity industry, hackers, and policymakers from the Boardroom to the Halls of Government. A long time ago, on June 27, 1991, Winn testified before the US Congress and was asked, “Mr. Schwartau: Why would the bad guys ever want to use the internet?” Today, our cognitive infrastructure is under attack, and humanity needs cybersecurity professionals more than ever. Reality is only a keystroke away. Metawar is the art and science of manipulating your reality. It is the battle for control over one’s belief systems, identity, and sense of reality outside one’s conscious awareness. Reason and emotion are incompatible operating systems. Big Tech is digitally terraforming the planet’s future cognitive infrastructure, Web 3.0, with little concern for the downsides. The metaverse is an evolving, immersive storytelling environment designed to be the most powerful and addictive reality distortion machine ever conceived. It will also predict and anticipate your every desire and every move! On the global stage, metawar represents the sixth domain of warfare. They who control the technology control the narrative. We have no choice but to learn how to coexist with the reality-distorting technologies we have created by implementing technical, policy, and cognitive defenses to protect our sense of truth, reality, and self-identity. Winn’s keynote is a call to action. The cybersecurity community is among the best problem solvers the planet has ever seen. It acts as a team, a collective of like-minded individuals with an amazing array of skills who stop at nothing to achieve their aims—against all odds. Winn challenges us with a new goal: Strengthen and defend the human mental immune system. Our brains, sensory nervous systems, and minds are the new attack surfaces. Will the cybersecurity community rise to the challenge of solving the most existential threat it has ever faced? Or not. To survive, humanity must adapt to and Coexist with technology. bsides-london-2024-56950-cybersecurity-s-new-imperative-defending-enterprise-and-national-cognitive-infrastructures-by-strengthening-the-mental-immune-system Main talk track winn schwartau en Winn will make you question everything in your current reality. Ready? How do you know what's real? Who controls and might be distorting your perception of reality? As technology intertwines with our lives in complex and sometimes hidden ways, these questions become more urgent. We face a world where the metaverse, TMI, algorithms, and digital addiction shape our everyday experiences. They who control the technology control the narrative. In 1991, Winn Schwartau, the civilian architect of information warfare postulated cyberwar in front of US Congress. Today, he warns that America faces a national security crisis; a cognitive Pearl Harbor waiting to happen. The lack of a national security imperative to strengthen our population's mental immune systems and our ability to coexist with technology makes Ame1ica's cognitive infrastructure essentially defenseless. Schwartau's Metawar Thesis employs an analogue engineering approach and a cybersecurity prism to view the disconnects between humans and technology. The Art & Science of Metawar is a compelling and groundbreaking exploration of the forces shaping our reality and the personal, enterprise, and national security implications of cognitive conflict: metawar. Through a blend of technical insights and philosophical ref lections, Schwartau offers a roadmap of hope for strengthening our mental immune system and cognitive defenses to better coexist with the technology we now rely upon. The Art & Science of Metawar serves as both a call to action and a guide to reclaiming control over our individual narratives in an increasingly aggressive digital landscape. Who controls your narrative? Are you ready to find out? false The Art & Science of Metawar: A Preview https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HQ7GKR/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HQ7GKR/feedback/ Track 2 Talk 2024-12-14T16:35:00+00:00 16:35 00:45 Cloud-native has revolutionised how we build and deploy applications, but let's face it - we've made our share of mistakes along the way. From the early days of on-prem to today's massive cloud-native deployments, this has not only transformed application development but also dramatically reshaped the infrastructure, DevOps practices, and the overall security landscape. This talk takes a look at the evolution of cloud-native security, highlighting the real-world incidents and attack techniques that have evolved alongside our technologies. We'll trace the threat landscape from on-prem to hybrid cloud to cloud-first, then dive deep into the current cloud-native risks: identity breaches, misconfigured cloud services, vulnerable CI/CD pipelines, and the long-standing threat of supply chain. We'll look ahead, exploring the emerging technologies that will shape the future of both attacks and defenses. Wrapping up the session, actionable strategies to secure your cloud-native environment will be discussed, highlighting tools which can be used to proactively mitigate risks, enhance runtime visibility and automate security. bsides-london-2024-56104-the-past-present-and-future-of-cloud-native-security Main talk track Emma Yuan Fang en Key Takeaways: Analyse the evolution of cloud-native security threats. Learn how attack techniques evolved over time, and assess the shortcomings of addressing cloud-native security challenges. Explore the future impacts and trends of cloud-native security and discover practical defense strategies. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RZCWXJ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RZCWXJ/feedback/ Track 3 Talk 2024-12-14T10:00:00+00:00 10:00 00:45 A discussion of the OWASP ML Top 10 and OWASP LLM Top 10, and how a failure to apply these principles in 2001 A Space Odyssey, led to implementation flaws in HAL 9000, resulting in disastrous consequences for the crew. bsides-london-2024-56993-using-the-owasp-top-10-to-save-the-astronauts-from-hal Main talk track Nick Dunn en The talk will use the OWASP Top 10 for ML and OWASP Top 10 for LLMs to anyalze the nature of the flaws in HAL 9000, the AI in 2001: A Space Odyssey, and how this led to disastrous results for the mission. There will be a discussion of failures to consider different aspects of both the LLM and ML top 10 during HAL's design and training phases, and the subsequent attempts to implement fixes during the mission. Each omission or failure to apply an OWASP principle, that led to the vulnerabilities will be discussed in detail, and also related to real life applications, to ensure the talk isn't just a geeky discussion of a cool-looking scf-fi AI. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/S7UNUC/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/S7UNUC/feedback/ Track 3 Talk 2024-12-14T10:55:00+00:00 10:55 00:45 In recent years, healthcare institutions have become prime targets for cyber attackers. The sector, suffering from a lack of resources and limited knowledge of the specific protocols related to its operations, remains particularly vulnerable despite advancements in detection systems. This reality raises crucial challenges in a field where protecting data is as vital as patient care. This presentation focuses on the DICOM protocol, its functionality, and its use in medical imaging. We will explain why it has become a prime target for cyber attackers and reveal an offensive tool capable of extracting data from a DICOM server. Finally, we will discuss current protection methods, their limitations, and present concrete measures to strengthen the security of these critical infrastructures. By attending this conference, you will gain a deep understanding of the DICOM protocol, its vulnerabilities, and the best ways to prepare for emerging threats and future risks. bsides-london-2024-56940-healthcare-s-anatomy-dissection-of-dicom-a-protocol-to-nmap-your-body Main talk track 0xSeeker en By the end of this presentation, you will have acquired in-depth knowledge of the DICOM protocol, its use in the medical field, and its technical format. You will understand the dangers of exposing DICOM servers on the web, as well as the risks to the security of medical data within healthcare infrastructures. Additionally, you will discover an offensive tool illustrating methods for extracting sensitive data from a medical server and learn how to identify signs of malicious activity to better prevent and counter these threats. true Article about Dicom attack Article about Dicom protocol https://cfp.securitybsides.org.uk/bsides-london-2024/talk/BEZSKR/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/BEZSKR/feedback/ Track 3 Talk 2024-12-14T11:50:00+00:00 11:50 00:45 There are thirteen pillars upholding the critical national infrastructure (CNI) that allows for the every day running of our society. These pillars are sectors that rely on four generations of operational technology (OT) systems with the oldest generation being pre-Internet. What are these industrial control systems (ICS) that we rely on, and how are they vulnerable? This talk will outline a generic ICS from the hardware to the protocols that allow the complex systems to speak with one another. Research into these systems is often done on physical testbeds and digital twins (I don't know about you, but I wouldn't want to try hack an actual nuclear reactor). The talk will discuss the testbeds that I'm lucky enough to play with day-to-day. How are these industrial control systems vulnerable, and what can we do to protect these systems from malicious actors? Finally, how are these thirteen pillars connected? If we knock one down, will the others fall like dominos? bsides-london-2024-54674-explaining-ics-to-a-fool-of-a-took Main talk track halfling en What will be covered: Intro to CNI & OT security Industrial control systems Control loops & ladder logic Testbeds including digital twins OT Protocols such as Modbus Known technical vulnerabilities Security concepts and solutions Interconnectivity of CNI sectors false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/KGLYRE/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/KGLYRE/feedback/ Track 3 Talk 2024-12-14T12:55:00+00:00 12:55 00:45 A* CV bsides-london-2024-56953-cv-workshop Main talk track Samira Ali en I would like to offer an engaging fun session for 45 minute about how to make your CV an A* CV in order to get job interview. I have over 14 years experience in HR & Training so I would like to share tips on how to get your foot in the door with a great CV. I will leave 10 to 15 minutes for Q&A false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/STGFHH/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/STGFHH/feedback/ Track 3 Talk 2024-12-14T13:50:00+00:00 13:50 00:45 In this talk, Andy Smith will demystify the real threat that quantum computers pose to our current cryptography, what you can do about it, and what specific actions you should look to take in 2025. bsides-london-2024-55948-post-quantum-cryptography-for-2025 Main talk track Andy Smith en With the first three quantum-resistant cryptographic algorithms standardised by NIST in August 2024, the starting gun has been fired on the Y2K-style problem of upgrading the crypto used in almost all of our modern electronic devices. In this session you'll learn: * What's the real threat that quantum computers pose * An overview of the options to safeguard against that threat * How techniques such as a cryptographic inventory, hybrid crypto and crypoagility can help ease the transition * How to get started with quantum-resistant cryptography today! false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MDR3YL/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MDR3YL/feedback/ Track 3 Talk 2024-12-14T14:45:00+00:00 14:45 00:45 This presentation explores the advanced use of minifilters in offensive security operations, focusing on their application in bypassing and disabling EDRs. We will delve into the architecture of EDR systems and common offensive uses of mini filters, such as bypassing file system monitoring. We will then introduce a novel technique to entirely disable EDRs via the abuse of minifilters. The talk will also cover the implications for defensive security and potential countermeasures, aiming to provide valuable insights for both offensive and defensive security professionals. bsides-london-2024-56169-when-the-hunter-becomes-the-hunted-using-minifilters-to-disable-edrs Main talk track Tom Philippe en ## 1. Introduction This presentation will explore the use of minifilters, an essential components of EDRs, in offensive security operations, with a focus on their application in bypassing and disabling EDR systems. ## 2. EDR Architecture Overview We will first provide a high level description of EDR systems, their components and architecture. This is essential to understand how minifilters contribute to EDR systems and the capabilities they provide. It sets the stage to understand how such capabilities could be abused. ## 3. Common Minifilters Abuse Techniques We then rapidly go through common known techniques involving minifilters used during offensive security operations, especially around file system monitoring bypass to hide suspicious file activity. ## 4. A New Minifilter Abuse Technique to Disable EDRs In this section, we present a novel technique which allows to entirely disable EDR agents and prevent them from running on endpoints. This technique relies on the registration of a PreOperation callback to prevent EDR agents from accessing critical resources, effectively crippling them. We dive into the Kernel concepts involved and provide a step-by-step breakdown of the whole process. We compare this new technique to other minifilter abuse techniques in terms of effectiveness in hiding malicious activities and IoCs. ## 5. Detecting Minifilter Abuse In this final section, we explore the defensive side of things: - Potential countermeasures and their limitations - Potential strategies for detecting and mitigating minifilter-based attacks ## 6. Conclusion and Q&A Finally, we will summarise the key takeaways and open the floor for questions and discussion. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/V8QCKM/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/V8QCKM/feedback/ Track 3 Talk 2024-12-14T15:40:00+00:00 15:40 00:45 There are thousands of scamming and phishing attacks performed every day. It is one of the most lucrative and profitable forms of hacking, involving the manipulation of humans. But how do criminals reach their victims? What are their techniques? And can anyone be hacked? The answer is yes, and I will show you the process of how to achieve that. bsides-london-2024-54869-let-s-phish-how-to-scam-everyone-everywhere-all-at-once Main talk track Dita Pesek en You will hear two stories of crime: the story of a kidnapped daughter and the story of a fake DJ. In these stories, we will explore key techniques that, when implemented correctly, can provide a blueprint for hacking anyone. Preparation of a Hack: Identifying the right victim and their weaknesses. This section of the talk outlines simple steps for uncovering a target's vulnerabilities that can be exploited. We will dive into how to evaluate time, effort, and reward like a true criminal. The Attack: The process and closure. What techniques work and how to keep the victim engaged. As we will see, these techniques are straightforward and can be applied to any victim profile. The Reward: What is the reward, and what happens if a financial transaction is involved? This section will emphasize that the hack is often the easier part. Cleaning the money requires seasoned criminals. The talk will address a broader question: What can we, as cybersecurity professionals, do, and has our approach been wrong? The talk will conclude by analyzing different types of attackers because if we do not understand the psychology of the criminal, the techniques we employ to protect targets will continue to be insufficient. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9PXYXH/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9PXYXH/feedback/ Track 3 Talk 2024-12-14T16:35:00+00:00 16:35 00:45 For nearly three decades, SIEM tools have been the cornerstone of the SOC, centralising threat detection, alerting, and commonly used for ticketing, case management, and SOC metrics. But what if this essential tool could be bypassed, evaded, or even directly attacked? Having both several years experience working directly for various SIEM vendors, we shall discuss and explore these possibilities in more depth, as well as emphasise the importance of continuous control testing. We will aim to give some ideas to offensive teams, and also give defenders some things to think about! bsides-london-2024-56742-siem-escape-and-evade Main talk track Daniel Crossley en SOC teams commonly rely on Security Information and Event Management (SIEM) tools to detect, analyse, and respond to security threats. In this presentation, we will introduce key SIEM concepts and the role of the SIEM in the SOC, as well as discuss shortfalls of SIEM tools. Then we shall explore the possibility of attacks and evasion techniques in SIEMs. We will also discuss the general challenges of managing SIEMs in enterprise environments. Not only will we cover the technical aspects, but also highlight processes, organisation dependencies and discuss non-technical mitigations. Attacking a SIEM involves exploiting vulnerabilities in data ingestion, correlation rules, and alert mechanisms to manipulate the very systems designed to detect malicious activities. Specifically, we will cover: - Introduction to Security Information and Event Management (SIEM) tools, architectures, and their role in the SOC - Common log sources and ingest methods - Custom apps and add-ons - Cloud-native SIEMs - Key vulnerabilities and attack vectors in SIEM systems: Data ingestion manipulation, Correlation rules exploitation, Alert bypass techniques - How organisational structures and supporting processes can be exploited We are hoping to help defenders and offensive teams better understand the risks involved with SIEM deployments, whilst emphasising the importance of simulating real-world attack scenarios. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LZ7Z9Z/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LZ7Z9Z/feedback/ Rookie track 1 Rookies track 2024-12-14T10:00:00+00:00 10:00 00:15 Just how vulnerable are the AI models we are coming to see pop up every other week? We've all heard of "jailbreaking" LLMs, but that's just the tip of the iceberg. With the rapid adoption of AI technologies, it opens the door for a myriad of attacks. In this talk, we go over a the MITRE Adversarial Threat Landscape for AI Systems (short for ATLAS) framework, and delve into some case studies exposing some of the most worrying AI attacks in recent years. bsides-london-2024-56755-mitre-atlas-exploring-ai-vulnerabilities Rookies Arthur Frost en This is a talk about the MITRE ATLAS framework. I'll first discuss how the ATLAS framework is built on top of the ATT&CK framework, before delving into some key differences with respect to vulnerabilities and attack vectors specific to what MITRE calls "AI-Enabled Systems". I'll walk you through two case studies, one with a 'good' actor, the other a 'bad' one, and how investigation is made easier by using the ATLAS framework. Finally, I'll show you how you can protect your organization against AI attacks by utilizing various mitigations, of which 25 are documented in this framework, covering various vulnerabilities. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AG8NTC/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AG8NTC/feedback/ Rookie track 1 Rookies track 2024-12-14T10:25:00+00:00 10:25 00:15 In an era where cyber threats are increasingly sophisticated and network perimeters are becoming obsolete, traditional security approaches are falling short. This presentation will highlight why embracing a Zero Trust approach is crucial for modern cyber defense. By adhering to the principle of "never trust, always verify," Zero Trust revolutionizes security by continuously validating every user, device, and access request, rather than assuming trust based on network location. bsides-london-2024-55829-adopt-or-risk-why-zero-trust-is-key-to-modern-cyber-defence Rookies Meletius Igbokwe en As the digital landscape evolves and cyber threats become more sophisticated, organizations can no longer rely on traditional perimeter-based security. The rise of remote work, cloud adoption, and interconnected systems has expanded the attack surface, leaving organizations vulnerable to breaches and insider threats. "Adopt or Risk: Why Zero Trust is Key to Modern Cyber Defence" offers a critical look at why organisations must shift to a Zero Trust model to effectively safeguard their networks. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FEEDHA/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FEEDHA/feedback/ Rookie track 1 Rookies track 2024-12-14T10:55:00+00:00 10:55 00:15 Abstract: What if the technology designed to protect your Windows System could be used against it? In this session, we will dwell deep into the journey of a hidden world of Use Access Control (UAC) and Component Object Model (COM), uncovering how attackers can turn these essential security features into weaponization for privilege escalation. Join me as we pull back the curtain on the often-overlooked vulnerabilities within UAC and COM, revealing how crafty an adversary exploits elevated COM interfaces to bypass UAC consent prompts without user interaction through live demonstration and real-world examples from prolific Ransomware (BlackCat). This is not all about bad news. It also equips you with the knowledge and tools to detect, prevent, and defend against these sophisticated techniques. Whether you’re a cybersecurity veteran or a curious newcomer, this talk promises to deepen your understanding of Windows Internal and elevate your defense strategies against UAC Elevated COM-Bypass exploits. Key Takeaways: 1. Intersection of COM and UAC: COM objects are used by various applications in Windows to perform tasks. Some of these objects run with elevated privileges. UAC is designed to prevent unauthorized elevation, but if a COM object is improperly configured, it can be exploited to bypass UAC. 2. Exploitation Method: This bypass typically involves identifying a vulnerable COM object that does not trigger a UAC prompt when instantiated. An attacker can execute their payload through this object, gaining elevated privileges without user consent. 3. Live Demo: Examples from prolific Ransomware, BlackCat, and skeleton code. 4. Threat Hunt Use Case: Detection Logic/Tools and actionable IOCs for UAC Bypass. bsides-london-2024-55625-commanding-heights-unmasking-com-based-uac-bypass-techniques Rookies Amankumar Badhel en Description: The Elevated COM (Component Object Model) UAC (User Account Control) bypass is a technique used by attackers to escalate privileges on a Windows system without triggering a UAC prompt. UAC is a security feature in Windows that helps prevent unauthorized changes to the operating system by requiring user consent or administrator-level approval for certain actions. The bypass demonstrated in this talk leverages elevated COM objects identified by the CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7} that run with higher privileges to execute malicious code, thereby circumventing UAC protections. Key Points 1. Overview of UAC 2. Overview of COM 3. UAC and COM: Security Intersection 4. Abusing UAC Elevate COM Interfaces 5. Case Study • BlackCat - Ransomware 6. Live Demo 7. Monitoring and Detection • Threat Hunt, Detection Logic\Tool 8. Q&A false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/N3ZG7S/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/N3ZG7S/feedback/ Rookie track 1 Rookies track 2024-12-14T11:20:00+00:00 11:20 00:15 This engaging presentation highlights the unique journey of a non-technical professional – a lawyer turned cybersecurity enthusiast – breaking into the field. Drawing from personal experiences including founding the Women in Cybersecurity (WiCyS) Surrey Chapter, winning a social engineering competition sponsored by the Cybersecurity Infrastructure Security Agency (CISA), and gaining hands-on experience in Cyber Threat Intelligence (CTI) as an MSc student, she offers actionable insights for those looking to transition into cybersecurity. This session aims to simplify the path to cybersecurity for individuals without a traditional tech background, emphasising the importance of networking, community organisations, and hands-on experience in facilitating this transition while highlighting the common challenges faced and strategic approaches to overcome them. Whether you're contemplating a career change or looking to diversify your security team, this session offers valuable insights into the power of non-traditional backgrounds in strengthening the cybersecurity workforce. bsides-london-2024-56783-from-zero-to-cyber-hero-a-non-techie-s-guide-to-breaking-into-cybersecurity Rookies Egonna Anaesiuba-Bristol en This 15-minute presentation aims to inspire and guide non-technical individuals who want to pursue a career in cybersecurity. With the cybersecurity industry facing a significant skills gap, there is a need for diverse perspectives in addressing growing security challenges. Key points to be covered include: 1) The speaker's journey from a non-technical background to cybersecurity, including overcoming common challenges faced by career-changers. 2) The value of diverse perspectives in cybersecurity and how non-technical backgrounds can be an asset in the field. 3) The role of communities in skill development and networking, highlighting experiences as a WiCyS (Women in CyberSecurity) Surrey chapter leader. 4) The importance of participating in cybersecurity competitions and how they contribute to practical skill-building. 5) Strategies for utilising conferences and networking events to secure work experiences, such as the speaker's CTI opportunity. 6) Practical advice for building a foundation in cybersecurity, including resources, learning paths, and key focus areas for beginners. The presentation will be particularly valuable for: Professionals considering a career change into cybersecurity Hiring managers looking to diversify their security teams Current cybersecurity professionals interested in mentoring newcomers By highlighting the speaker's experiences with the Women in Cybersecurity (WiCyS) Surrey Chapter, success in a CISA-hosted competition, and work in Cyber Threat Intelligence, this talk demonstrates how non-traditional paths can lead to meaningful contributions in cybersecurity. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P3JVM8/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P3JVM8/feedback/ Rookie track 1 Rookies track 2024-12-14T11:50:00+00:00 11:50 00:15 Exploring real world stories of physical security tests and the relationship between my obsession with the 1992 film sneakers and my chosen line of work. bsides-london-2024-56588-robert-redford-made-me-do-it-physical-security-stories-and-tips Rookies Matthew Steed en Sneakers, the best hacker film…period. This talk aims to share my enthusiasm for the adrenaline rush of bypassing physical security measures through personal stories and engagement tales while sharing tips and tricks that I have learned along the way. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AWDYG7/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/AWDYG7/feedback/ Rookie track 1 Rookies track 2024-12-14T12:10:00+00:00 12:10 00:15 Alan used to participate in global OSINT CTFs until they suddenly stopped. Now they speak about their experience to help people make an informed decision when it comes to participating in future event bsides-london-2024-56285-it-s-been-a-good-run-why-i-stopped-doing-osint-ctfs Rookies Alan O'Reilly en Alan is a holder of a TraceLabs black badge, an honour they still hold dear despite not having any interest in competing for nearly 4 years. Finally, after all these years they're ready to give their reasons so that others may learn about some small issues that were present in the early days so that they may make informed decisions when it come to participation. NOTICE: Whilst anonymised, this talk will be discussing missing people and as such the talk may not be suitable for younger audiences false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7RVA7Z/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7RVA7Z/feedback/ Rookie track 1 Rookies track 2024-12-14T12:35:00+00:00 12:35 00:15 In the cyber security world there are many challenges faced by numerous different people. One of those groups are those who are disabled, there is 16.1 million people (24% of the population) in the UK who are considered disabled and yet they are rarely taken into account when new policies are being made. I want to bring to light this issue specifically when it comes to passwords, for able bodied people they are already a pain but for those of us who are disabled they are a nightmare and even new technologies like MFA can be more of a burden than they set out to be. I'm proposing some solutions to this like the wonderful world of password managers and even physical storage for passwords and shining light on some outdated views like the dreaded password expiry that in fact only makes accounts less secure. Now, you may wonder who am I to be speaking on such a sensitive topic, I am a Cyber Security student from Manchester Metropolitan University and I have been disabled since the age of 4. I have seen first hand the struggles that those with different disabilities to me face and I also have first hand experience with some of those struggles. My intention is to hopefully get you all thinking about how you can make your workplace more accessible and implementing some ideas to make everyone's life easier but especially for those who already struggle. bsides-london-2024-56981-password-hell-accessibility-challenges-in-cyber-security Rookies Ana Maia en Slide order 1 - What is the issue? 2 - Why is this an issue? 3 - Why am I talking about it? 4 - What are the challenges that people face? 5 - What are some outdated protocols and why you shouldn't use them 6 - What are some solutions to this problem? 7 - Conclusion false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/PGDUDM/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/PGDUDM/feedback/ Rookie track 1 Rookies track 2024-12-14T13:00:00+00:00 13:00 00:15 In the evolving landscape of cybersecurity, maintaining up-to-date threat models is a critical yet challenging task for security teams. Traditionally, architecture diagrams have served as the basis for initial threat modelling. However, as application features rapidly evolve, these static models often become outdated, leaving organisations vulnerable to emerging threats. bsides-london-2024-54604-continuous-threat-modelling-using-large-language-models Rookies Gurunatha Reddy GPranay Sahith Bejgum en This talk introduces an innovative approach to continuous threat modelling by leveraging Large Language Models (LLMs). It covers how LLMs can help automating the analysis of rapid application changes, identify potential security vulnerabilities, and suggest mitigations in real time. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/L3KZC7/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/L3KZC7/feedback/ Rookie track 1 Rookies track 2024-12-14T13:20:00+00:00 13:20 00:15 Everybody loves a good story and within our industry we encounter some fascinating stories! However, the ability to convey often complex and technical details to a varied and multi-disciplinary audience can be an overlooked - but incredibly valuable - skill for cybersecurity professionals, especially in technical roles. Storytelling can be a critical part of effective cybersecurity incident and threat intelligence reporting; it provides necessary context to the threats we face, as well as the mitigations, remediation steps and other actions we need to take to protect our data, environments, and organisations. This presentation outlines key tips and tricks for leveraging technical writing skills to produce effective, impactful and actionable investigation notes and reports. By mastering the power of storytelling and effective technical writing, security professionals have the opportunity to make the threats we face and incidents we encounter more relatable to non-technical readers, therefore improving the accessibility, understanding and impact of our work. bsides-london-2024-57016-storytelling-for-soc-analysts-effective-investigation-notetaking-and-report-writing-without-chatgpt Rookies Han O’Connor en Want to be able to write high quality reports without AI chatbots? This talk outlines top tips for leveraging technical writing skills to produce effective, impactful and actionable investigation notes and reports. The talk will also highlight quick wins to improve your technical writing skills, exploring key areas including: - Knowing your audience - Adopting an Incidents/Threats for Dummies approach - Why Context is your friend, and - Why AI most certainly is not! false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/SYLV3X/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/SYLV3X/feedback/ Rookie track 1 Rookies track 2024-12-14T13:50:00+00:00 13:50 00:15 This talk examines how the crisis management principles of aviation "Aviate, Navigate, Communicate" can be effectively applied to cybersecurity. It highlights promoting a no-blame culture, empowering security culture across an organisation and preparing for unforeseen events, drawing on aviation’s century of safety advancements. bsides-london-2024-56942-the-psychology-of-cyber-navigating-a-crisis-like-a-pilot Rookies George Chapman en Explore how aviation’s crisis management strategies can inform cybersecurity practices. This session addresses the psychological impact of crises, the importance of open communication, and practical approaches to managing unpredictable situations with confidence and composure. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7SJJBW/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7SJJBW/feedback/ Rookie track 1 Rookies track 2024-12-14T14:15:00+00:00 14:15 00:15 Do you use Raspberry Pi as a Home Assistant to manage remote devices via Bluetooth? Or your phone with wireless devices? That's extremely convenient, but did you know that it can be easily compromised - and that some devices may still be unpatched? bsides-london-2024-54555-brakrpi-crashing-bluetooth-communications-on-raspberry-pi-with-braktooth Rookies Ilias en In August 2021, a group of researchers from Singapore called ASSET disclosed the series of vulnerabilities in commercial Bluetooth stacks ranging from DDoS to Arbitrary Code Execution - which was called Braktooth. It affected major vendors such as Intel, Cypress, Qualcomm and Espressif. While researchers' main focus was to test laptops, smartphones and audio devices, one class of devices that went untested were Raspberry Pis. In this talk, I will describe how I was able to add small contribution to this research by proving that Raspberry Pi was also vulnerable to Braktooth due to the usage of Cypress System-on-Chip (SoC). This presentation is beginner-friendly and no prior knowledge is required. It will cover the brief explanation of Braktooth series and more detailed explanation of documented process of crashing Bluetooth communications between Raspberry Pi and a remote speaker, why fixing this won't be enough with a simple code patch, and suggestions to mitigate the risks. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HV7REQ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HV7REQ/feedback/ Rookie track 1 Rookies track 2024-12-14T14:45:00+00:00 14:45 00:15 Deepfakes have become an increasing source of concern as AI advances. These extremely lifelike, digitally made videos can be used to propagate falsehoods, harm reputations, and even commit financial crimes. This talk would go into the complexities of deepfake technology, discussing how it is made and the potential repercussions. We will talk about effective detection techniques, preventive measures, and the role of legislation in tackling this increasing problem. Understanding the issues offered by deepfakes allows us to better navigate the digital realm and protect ourselves from their negative consequences. bsides-london-2024-56739-unmasking-the-deepfake-threat-detection-prevention-and-navigating-the-future Rookies Onyedikachi Ugwu en This talk will provide a comprehensive overview of deepfakes, exploring how they are been created, to the detection, and prevention of it. Participants will gain a deeper understanding of the risks posed by deepfakes, learn about effective countermeasures, and discover the latest advancements in deepfake detection technology. Participants will leave this workshop with the information and skills needed to navigate the ever-changing environment of deepfake threats and defend themselves and their organisations. false What Are Deepfakes and How Are They Created? What are deepfakes? How fake AI-powered audio and video warps our perception of reality The Emergence of Deepfake Technology: A Review Lawmakers concerned about deepfake AI's election impact https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RFGTEW/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RFGTEW/feedback/ Rookie track 1 Rookies track 2024-12-14T15:05:00+00:00 15:05 00:15 AI models trained specifically for security are here, why should devs have all the fun? Pair hacking with tools like WhiteRabbitNeo speeds up your process and reduces tedium inherent in most security roles. WhiteRabbitNeo is an uncensored, open-source LLM that has been trained on red team data. Learn how WhiteRabbitNeo can help you harden your source code and improve configuration security while reducing hours of DevSecOps tedium to minutes. WhiteRabbitNeo will research vulnerabilities, propose exploits, and help package malware payloads while you focus on the creative side of cybersecurity: crafting the perfect delivery method for the exploit. bsides-london-2024-56437-threat-analysis-in-minutes-and-other-ai-super-powers Rookies Bailey Williams en Using AI models often means sharing information with AI companies and running into guardrails that keep you from accomplishing cybersecurity tasks. I contribute to WhiteRabbitNeo to help build a community-driven, open source alternative. During this talk I will teach attendees from the beginner cybersecurity enthusiast to the senior cyber analyst how to use AI how to learn new concepts, create custom hacking tools in any language, analyze code, and complete threat analysis tasks in seconds rather than hours. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/URK98E/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/URK98E/feedback/ Rookie track 1 Rookies track 2024-12-14T15:40:00+00:00 15:40 00:15 For application security engineers, managing CVEs has become an overwhelming task due to the rising number of CVEs, inaccurate vulnerability scanners, and user demands for zero CVEs in dependencies. My talk aims to demonstrate how VEX documents can eliminate the time-consuming spreadsheet back-and-forths by programmatically expressing vulnerability applicability information. By showcasing a workflow and tools introduced for Cilium, I will illustrate how VEX documents enable automatic exclusion of non-applicable CVEs from scanners, distribute triage workload to knowledgeable teams, and generate documentation on vulnerability applicability. Real examples from Isovalent's use of VEX documents in our security workflow will support these points. I hope attendees will leave convinced of the benefits of generating and using VEX documentation to focus more on addressing real vulnerabilities. bsides-london-2024-57014-vexatious-vulnerabilities-cve-management-for-the-overwhelmed-security-engineer Rookies Feroz Salam en For application security engineers, CVE management has become a huge burden in recent years. Caught between the accelerating number of CVEs granted each year, vulnerability scanners that are unable to accurately identify applicability, and users who demand zero CVEs in dependencies, security engineers become spreadsheet engineers, devoting large amounts of time to explaining why the latest set of CVEs identified by a vulnerability scanner do not matter. The aim of my talk is to highlight the potential of VEX documents to render these spreadsheet back-and-forths obsolete. At their core, VEX documents allow for the expression of vulnerability applicability information in a programmatic manner. By highlighting a workflow and related tooling that I have introduced for Cilium (the CNCF-graduated CNI for Kubernetes), I will show how using VEX documents gives security engineers: - The ability to automatically exclude triaged results from vulnerability scanners (including popular scanners such as Grype and Trivy), reducing customer friction and allowing customer security teams to ‘self-service’ vulnerability applicability. - The ability to spread the load of CVE triage onto the teams that know the most about the products that may be affected. - The ability to automatically generate documentation regarding vulnerability applicability. All of these points will be accompanied by real examples of how Isovalent, the company I work for and the creators of Cilium, use VEX documents in our daily security workflow. By the end of my talk, I hope that attendees will leave convinced that they should be generating and consuming VEX documentation too, in order to minimise the amount of time we spend in spreadsheets, and maximise the amount of time that we spend hunting and fixing real vulnerabilities. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EWZVMW/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EWZVMW/feedback/ Rookie track 1 Rookies track 2024-12-14T16:00:00+00:00 16:00 00:15 With the growth of robotics and IoT, embedded devices are vital but often vulnerable. This talk explores security challenges in embedded systems, highlights real-world attacks, and provides practical defense strategies. Engineers and cybersecurity professionals will gain insights into protecting devices in robotics and IoT from design to deployment. bsides-london-2024-56324-securing-embedded-devices-in-robotics-and-iot-bridging-the-gap-between-innovation-and-security Rookies Victor Oriakhi Nosakhare en Embedded devices are the backbone of modern robotics and IoT, but their widespread use has introduced unique security risks. This session delves into hardware, firmware, and communication vulnerabilities that leave embedded systems open to cyberattacks. Attendees will explore real-world attack scenarios and learn effective defense strategies to secure embedded devices from design to deployment. Additionally, we’ll discuss future trends like AI-driven anomaly detection and hardware root-of-trust, offering a forward-looking view of embedded device security. This talk is designed for engineers, developers, and security professionals looking to strengthen the security of robotics and IoT infrastructures. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EMHSZC/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/EMHSZC/feedback/ Rookie track 1 Rookies track 2024-12-14T16:35:00+00:00 16:35 00:15 Due to the technological advancements in the world, using web applications to securely access shared data has become a popular choice. However, the downside to that is personal sensitive data is exposed. Around 74 % of personal data all over the internet is vulnerable to known web application attacks. Moreover, 90% of global cyberattacks happen through web applications. Keeping up with the attack vectors has become a challenge because of the ever-changing security landscape. This increase in attack surge for web applications needs a proactive and extensive solution. Cyber defenders are constantly facing new challenges in the identification of threats as cyberattacks are becoming more sophisticated hence there is a need to monitor, analyse, and mitigate these threats with priority. To address this gap, research is needed to enhance the security of web applications using honeypots, threat intelligence, and automation. This research aims to provide web developers with a solid foundation to protect against the growing range of cyber risks. bsides-london-2024-56402-owasp-honeypot-threat-intelligence-project Rookies Kartik Adak en This project involves enhancing the security posture of the web applications by deploying ModSecurity based honeypots over Amazon EC2 instances to lure the attacker to use various tools and attack techniques to compromise the application and logging the attack vectors for threat analysis. These Amazon EC2 instances are spread across different regions of the world to cover the global landscape. The output of these honeypots is logged in a S3 bucket in JSON format which can be used as a threat intelligence dataset for finding web traffic anomalies. Furthermore, we can use a JSON visualisation tool such as JSON crack for pattern matching and detect the anomaly in the dataset which could be useful for patching the application as well as creating a baseline for the web developers for future development. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/QADXSB/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/QADXSB/feedback/ Rookie track 2 Rookies track 2024-12-14T10:00:00+00:00 10:00 00:15 Ever wondered what the structure of a vendors Patient Medication Record software looks like? A lighthearted look at fun and games had over a 20 year period 'testing' the system.... bsides-london-2024-56797-an-introduction-to-patient-medication-records Rookies Darren en This talk will highlight issues with current Patient Medication Record software, some solutions and what I found whilst working as a retail Pharmacist. The aim is to reveal the results in a lighthearted way, there'll be thrills and spills on the journey and some results may astound. But remember all your records are still safe with me!! false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/QEEQCS/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/QEEQCS/feedback/ Rookie track 2 Rookies track 2024-12-14T10:25:00+00:00 10:25 00:15 Do you actually know if you have been breached? Do you know your critical assets, what you can't see? Monitoring and logging is a simple construct, however most companies see it as a tick-box exercise. This presentation looks into the following, eyes on the ground approach. - answers the why, how , what - looks in to basics around asset management, critical data, users, end points, networks, etc - key missed areas, like policy, people, and physical. - summaries an approach based on a risk based approach. this will cover examples and be lighted hearted and funny at times. - questions - end bsides-london-2024-57005-can-you-see-a-risk-approach-to-siem Rookies Richard Kirk en Do you actually know if you have been breached? Do you know your critical assets, what you can't see? Monitoring and logging is a simple construct, however most companies see it as a tick-box exercise. This presentation looks into the following, eyes on the ground approach. - answers the why, how , what - looks in to basics around asset management, critical data, users, end points, networks, etc - key missed areas, like policy, people, and physical. - summaries an approach based on a risk based approach. this will cover examples and be lighted hearted and funny at times. - questions - end false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FFZ3P3/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FFZ3P3/feedback/ Rookie track 2 Rookies track 2024-12-14T10:55:00+00:00 10:55 00:15 This talk examines the expanding role of artificial intelligence (AI) in social engineering, focusing on how AI-driven tools are used to shape public opinion and influence group behaviour on a large scale. bsides-london-2024-56417-is-ai-the-new-big-brother Rookies Tom en This talk explores the potential of artificial intelligence (AI) to be using in social engineering. It also discusses the concept of mass social engineering, where individuals or groups are manipulated to behave or think in a predefined manner, and how AI can facilitate this process. The talk highlights the concern over AI's role in mass social engineering, including its impact on war, political opinions, privacy, and social inequality. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/BUZ9ST/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/BUZ9ST/feedback/ Rookie track 2 Rookies track 2024-12-14T11:20:00+00:00 11:20 00:15 The use of Generative Artificial Intelligence (AI), particularly Large Language Models (LLMs), is rapidly increasing across various sectors, bringing significant advancements in automating tasks, enhancing decision-making, and improving user interactions. However, this growing reliance on LLMs also introduces substantial security challenges, as these models are vulnerable to various cyber threats, including adversarial attacks, data breaches, and misinformation propagation. Ensuring the security of LLMs is essential to maintain the integrity of their outputs, protect sensitive information, and build trust in AI technologies. This talk will examine the security vulnerabilities that are inherent in Large Language Models (LLMs), with a particular focus on injection techniques, client-side attacks such as Cross-Site Scripting (XSS) and HTML injection, and Denial of Service (DoS) attacks. Through the simulation of these attack vectors, the study assesses the responses of various pre-trained models like GPT-3.5 Turbo and GPT-4, revealing their susceptibility to different forms of manipulation. The talk will also underscore the critical risk of these vulnerabilities, especially when exploited in a real-time corporate environment, where they can lead to significant disruptions, unauthorized access, data theft, and compromised system integrity. bsides-london-2024-56965-llm-security-attacks-and-controls Rookies Nazeef Khan en The talk is structured to fulfil the following objectives: 1. Evaluate approaches for identifying exploitation of security vulnerabilities in large language models (LLMs). 2. Investigate the response of various pre-trained models to attacks on LLMs. 3. Develop and assess security controls to mitigate cyber risks associated with LLM attacks. The 15-minute talk will focus on Large Language Models (LLMs) will extensively explore the vulnerabilities, particularly in the context of adversarial attacks, types of prompt injection attacks on LLMs, Insecure output handling, Client side Injection attacks and denial-of-service (DoS) attacks. However, there remains a research gap in the systematic simulation and comparative analysis of these attacks across different LLM architectures and configurations. Current studies predominantly focus on individual attack vectors or specific LLMs, lacking a holistic approach that examines the interplay between multiple attack types and their cumulative impact on LLM performance and security. Most weaknesses in AI models stem from injection techniques, which can be particularly harmful when the model or the API used to access the model makes incorrect calls to the database, inadvertently retrieving sensitive content that does not align with established guidelines. These vulnerabilities underscore the critical need to thoroughly understand how AI models interact with third parties and the potential risks associated with these interactions. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MSPTC8/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MSPTC8/feedback/ Rookie track 2 Rookies track 2024-12-14T11:50:00+00:00 11:50 00:15 Malicious domains are part of the landscape of the internet but are becoming more prevalent and more dangerous to both companies and individuals. Tracking, blocking and detecting such domains is complex, and very often involves complex allow or deny list management or SIEM integration with open-source TLS fingerprinting techniques. Many fingerprint techniques such as JARM and JA3 are used by threat hunters to determine domain classification, but with the increase in TLS similarity, particularly in CDNs, they are becoming less useful. This presentation demonstrates how we can adapt and evolve open-source TLS fingerprinting techniques with increased features to enhance granularity, and to produce a similarity mapping system that enables the tracking and detection of previously unknown malicious domains. This is done by enriching TLS fingerprints with HTTP header data and producing a fine grain similarity visualisation that represented high dimensional data using MinHash and local sensitivity hashing. Influence was taken from the Chemistry domain, where the problem of high dimensional similarity in chemical fingerprints is often encountered. bsides-london-2024-56948-from-molecules-to-malware-visualising-tls-fingerprints-with-tmap-to-hunt-malicious-domains Rookies Amanda Thomson en The presentation focuses on a more resilient approach to TLS fingerprinting - particularly one that handles the encrypted client hello and the granularity loss encountered when fingerprinting CDNs. The method of visualising similarities is used effectively in the chemical arena and can be used as a method for early detection of malicious domains and websites. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RA9DK8/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/RA9DK8/feedback/ Rookie track 2 Rookies track 2024-12-14T12:10:00+00:00 12:10 00:15 Distroless containers only contain your application and its dependencies. In theory, they’re a great security best-practice. bsides-london-2024-57024-a-minimal-talk-on-distroless-containers Rookies Will Dollman en But in practice, it’s really hard to find examples of companies outside of the tech giants that have successfully adopted distroless containers. Minimal, hardened containers have huge benefits for security teams: reduced attack surface, cleaner vulnerability scans, improved isolation, and simpler supply chains. But how can a security engineer achieve them without the resources of a tech giant? At Sourcegraph, we faced a lot of pain with vulnerability management in containers, prompting our switch to distroless. In this talk I’ll cover: - Distroless containers from scratch - The tooling that’s available - Real-world experience from migrating a complex SaaS application to distroless - what went well, and what was unexpectedly hard false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MEBCGT/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MEBCGT/feedback/ Rookie track 2 Rookies track 2024-12-14T12:35:00+00:00 12:35 00:15 Quantum Computing and Quantum Safe Cryptography seem to be buzzing up hype on all platforms. While no one is seemingly refuting the potential for Quantum Computers, the general sentiment seems to be that Quantum Computers won't be available for some time. If we stop thinking about Quantum Computers for a minute and just focus on Cryptography it self and how deeply it is embedded into our every day lives, perhaps the problem will become more evident. bsides-london-2024-55109-quantum-safe-cryptography-a-buzzword-or-something-more-serious Rookies Suketu en The industry is abuzz with the words Quantum Computers and Quantum Safe Cryptography being plastered everywhere. What actually is going on here? Are Quantum Computers really going to cause havoc? Will Quantum Computers be a real threat some day? Algorithms that make use of Quantum Physics have already been developed that will have real world repercussions on cryptography we use today. NIST (the National Institute of Standards and Technology), a well known body within cyber security has just released a set of standardised Quantum Safe Cryptographic algorithms. Something that has taken them years of study (8 years infact) to ensure that the algorithms cannot be easily broken or private data and keys decrypted easily. Well, what does that mean in general, and what does it mean for you? The word Quantum might be used to generate the hype, but the real underlying issue is the integration of cryptography just about everywhere. Cryptography is embedded in our devices, in our routers and networking, in servers, in hardware, in containers, in firewalls, in file-transfer software, and anywhere else you can think of. Digital Certificates help lay the foundations of secure communications everywhere. Cryptography is a fundamental control used to protect confidentiality and integrity. The real issue lies in the effective migration of cryptography, and in a timescale that ensures protection against an ever-looming threat. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P8MKRR/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P8MKRR/feedback/ Rookie track 2 Rookies track 2024-12-14T13:00:00+00:00 13:00 00:15 In this session, I will present my research on disrupting drone operations by targeting their command-and-control (C2) channels and analyzing the forensic evidence left behind. My work explores various disruption techniques, such as Wi-Fi de-authentication, man-in-the-middle (MITM) attacks, video stealing, and drone disabling using tools like Flipper Zero, ESP32 microcontrollers, and Linux command-line utilities. I will also delve into the forensic analysis conducted post-attack to identify digital footprints and network anomalies left by these disruptions. If live demonstrations are not feasible at the conference, I have recorded videos of all the attacks on the drone to showcase them, and some of the attacks can be performed without flying the drone. Alternatively, I can use simulations to demonstrate the techniques. This research provides a framework for detecting and documenting evidence of drone attacks, significantly contributing to the field of drone forensics and cyber-physical security. bsides-london-2024-56397-disabling-drones-disruption-and-forensic-data-analysis Rookies Paavai Aram en Drones have become a crucial part of modern technology, playing vital roles in both civilian and military operations. However, their increasing use also exposes them to various cyber threats, particularly those targeting their command-and-control (C2) channels. In my talk, I will demonstrate practical methodologies developed to disrupt drone systems, using tools such as Flipper Zero, ESP32 microcontrollers, and Aircrack-ng to simulate real-world attacks. I will detail various attack scenarios, including a video stealing attack that intercepts and records drone video feeds, and a drone disabling attack that remotely powers off the drone, rendering it inoperable. Post-attack, I conducted comprehensive forensic analyses to capture network traffic and digital footprints, revealing critical evidence of the disruptions. This talk aims to raise awareness of drone vulnerabilities, present forensic strategies for evidence gathering, and foster the development of effective countermeasures against these threats. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MZFXGP/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MZFXGP/feedback/ Rookie track 2 Rookies track 2024-12-14T13:50:00+00:00 13:50 00:15 The tale of stumbling across the registry key which reverts MS08-068, permitting SMB reflection attacks. bsides-london-2024-56716-do-loop-back-in-anger Rookies Shane Bourne en In this session, I'll walk through the lesser-known MS08-068 vulnerability and explore the potential for SMB reflection attacks in 2024, uncovering a root cause hidden in plain sight within Microsoft's documentation. The talk will include a demonstration of the attack, and you'll receive a script to set up your own lab environment for hands-on practice at home! false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FEY9FR/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/FEY9FR/feedback/ Rookie track 2 Rookies track 2024-12-14T14:45:00+00:00 14:45 00:15 As IoT devices increasingly rely on real-time decision-making, generative AI offers immense potential to enhance these processes by predicting complex data patterns. However, this raises important questions about trust: Can AI be relied upon to make autonomous decisions, and how can we ensure its transparency and ethical integrity? This talk will explore the trustworthiness of generative AI in real-time IoT, covering technical challenges, best practices for ensuring accuracy and reliability, and the role of explainable AI (XAI). We will also address ethical and privacy concerns, providing insights on balancing innovation with responsible AI development. bsides-london-2024-56920-the-trustworthiness-of-generative-ai-in-real-time-decision-making-for-iot-devices Rookies Meet BhoraniaYash Akbari en As IoT devices become increasingly autonomous, the need for reliable, real-time decision-making is more critical than ever. Generative AI has the potential to transform these systems by analyzing complex data and enabling smart devices to predict outcomes and respond efficiently. However, with greater AI autonomy comes the pressing question of trust. Can we trust AI to make decisions accurately and responsibly in real-time? This talk will address the technical challenges in ensuring the reliability of AI-driven IoT devices and explore the role of explainable AI (XAI) in fostering transparency and user confidence. We will also dive into the ethical and privacy concerns surrounding AI decision-making in IoT, particularly in sensitive or high-risk environments. Through practical examples and best practices, this session will offer insights on how to design AI-powered IoT systems that are not only innovative but also trustworthy, transparent, and ethically sound. Attendees will leave with a deeper understanding of the critical balance between leveraging generative AI for real-time decision-making and maintaining trust in these technologies. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9FVVGB/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9FVVGB/feedback/ Rookie track 2 Rookies track 2024-12-14T15:05:00+00:00 15:05 00:15 As a paranoid tech-head, I find cache extremely suspicious. Specifically, cache on modern CPUs. In this talk, I will explain why! In this process, we can explore the idea that we need more systems that are as memoryless as possible, and where there is memory, the data is always well encrypted. I have been, in my own time now for a few months, working with digital logic design to realise some hardware proof of concepts while building in this philosophy. bsides-london-2024-56982-memoryless-peripherals-and-secure-notebooks Rookies Kai Harris en I am not completely insane (yet) - I do leverage a modern smart phones (and their CPU's) like everyone else does to do things like sending dog pictures to the old man. I have to admit, I am someone new to the security space. As such, the first I heard about side-channel vulnerabilities on CPU cache such Meltdown and Spectre was this year. From what I understand (but please do correct me if I am wrong!) - these are only the first iterations in a new genus of exploit. So we can explore a potential approach to designing improved technology for this specific problem set, building at the electronic engineering level all the way to userland. I will also discuss the benefits, challenges, and drawbacks I've encountered, as well as the key insights gained from the exploration thus far. Connect: https://uk.linkedin.com/in/kaiharris606 false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HYJP7A/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/HYJP7A/feedback/ Rookie track 2 Rookies track 2024-12-14T15:40:00+00:00 15:40 00:15 As incident responders in the insurance space, we often respond to incidents where critical evidence is no longer available for analysis. This presentation will demonstrate how incident responders can use offensive security techniques to determine likely root causes and inform effective containment strategies. bsides-london-2024-56400-turning-to-the-dark-side-utilizing-offensive-techniques-in-incident-response Rookies Archie Essien en As incident responders in the insurance space, we often respond to incidents where critical evidence is no longer available for analysis either due to hardware failure, complete encryption or eager recovery efforts. This leads to our incident responders taking a step back and using offensive techniques to determine what the most likely method of entry was. This presentation will demonstrate a few of the techniques we have utilized including: Open source intelligence: Identifying network information from open source intelligence. Leaked data: Identifying victim data such as leaked usernames and passwords from data leaks. Active Directory attacks: Identifying common weaknesses in Active Directory configuration and performing attacks against Active Directory accounts and services to identify weak links. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LH9ZKL/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/LH9ZKL/feedback/ Rookie track 2 Rookies track 2024-12-14T16:00:00+00:00 16:00 00:15 We've been in the wrong place at the right time between us for between 30-40 years, in just about every sector imaginable. We're seeing both mid-sized organisations and enterprises in the situation where they have all the consultancy recommendations - Managed Security Service Provider, Endpoint Detection And Response, Network Detection & Response, extended Detection & Response, Managed Detection & Response, but IR still isn't solved. There's frustration from both the MSSPs and Detection & Response providers, and from customers. This talk explores: The difference between Incident Management and Incident Response The history of how people get into Security, and Incident Response Enterprise Architecture View of these The changes that have introduced a wicked problem: Non-Technical or Non-Security Incident Managers attempting Incident Response Technical Incident Responders attempting IR without the business link of Incident management The frustrations from MSSPs and Detection & Response Providers Customer Frustrations Potential ways of solving this within the security community bsides-london-2024-56931-mssp-mdr-mfa-so-why-isn-t-incident-response-solved Rookies Tim Haynes en We've seen many mid sized and enterprise organisations that have a Managed Security Service Provider, Managed Detection & Response and Multifactor Authentication - "So why isn't IR solved?" in the words of one CTO. This talk picks up on frustrations and gaps from both the technical MSSP and MDR side, and from the customer side, and explains why "Just pick a different SOC" isn't necessarily a good answer. We go into some of the enterprise architecture, organisational and human factors from the 90's to today that have caused gaps on both sides, why this matters, and what we think security people can do about it. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/83QAGY/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/83QAGY/feedback/ Workshop Room 1 Workshop - Short 2024-12-14T10:00:00+00:00 10:00 02:00 In this workshop, participants will delve into the intricacies of bypassing BitLocker encryption in TPM Only mode. Through hands-on exercises, attendees will gain practical knowledge on monitoring SPI buses with digital logic analysers, extracting TPM data, and mounting and decrypting disks. This session is tailored for penetration testers performing stolen device assessments, red team professionals, security enthusiasts seeking to secure their devices, and forensic analysts involved in data recovery. bsides-london-2024-54502-bypassing-bitlocker-by-sniffing-the-spi-bus Workshops Darren McDonaldCraig S. Blackie en We are inviting you to a comprehensive workshop designed to provide an introduction into bypassing BitLocker encryption. This session will focus on Bypassing BitLocker in TPM Only Mode on laptop with an SPI bus. Participants will explore and engage in the following: * Monitoring SPI Buses with Digital Logic Analysers: Learn how to use digital logic analysers to monitor and interpret SPI bus communications. * Extracting TPM Data: Gain hands-on experience in extracting data from buses for TPM chips. * Mounting and Decrypting Disks: Discover how to mount and decrypt disks protected by BitLocker. This practical exercise will illustrate the step-by-step process of bypassing encryption and gaining access to secured data. * Discussion of other bypass techniques Who Should Attend: * Penetration Testers: Enhance your toolkit for stolen device assessments and red team engagements by mastering techniques to bypass BitLocker encryption. * Security Enthusiasts: Understand the vulnerabilities of your own devices and learn how to better protect them against sophisticated attacks. * Forensic Analysts: Acquire essential skills for data recovery and forensic investigations involving BitLocker-protected devices. This workshop is structured to provide both theoretical knowledge and practical experience, ensuring that participants leave with a basic understanding of BitLocker bypass techniques and the confidence to apply them in real-world scenarios. Knowledge Prerequisites: * Basic Windows familiarity * Basic Linux familiarity * Awareness of BitLocker Attendees will need to bring own laptop with Kali Linux and the dislocker package installed. All other materials will be provided. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/Y8ZSCJ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/Y8ZSCJ/feedback/ Workshop Room 1 Workshop - Long 2024-12-14T12:45:00+00:00 12:45 04:00 This hands-on workshop aims to give you an understanding of the security features and pitfalls of modern containerization tools like Docker and Kubernetes. We’ll cover a range of topics to build up a picture of the security options available and show practical examples of attack and defence on containerized systems. There will be hands-on labs covering common attacks on Docker, Docker containers and Kubernetes clusters. Prerequisites – Familiarity with basic Docker commands and Linux command line use will be helpful, but we’ll provide step-by-step instructions for people who are less familiar with them. Workshop requirements: - A laptop with a web browser that does not have strict filtering in place (e.g. no white-list only corporate proxies) and an SSH client. bsides-london-2024-56218-container-security-and-hacking-with-docker-and-kubernetes Workshops Rory McCuneIain SmartMarion McCune en This hands-on workshop aims to give you an understanding of the security features and pitfalls of modern containerization tools like Docker and Kubernetes. We’ll cover a range of topics to build up a picture of the security options available and show practical examples of attack and defence on containerized systems. There will be hands-on labs covering common attacks on Docker, Docker containers and Kubernetes clusters. Prerequisites – Familiarity with basic Docker commands and Linux command line use will be helpful, but we’ll provide step-by-step instructions for people who are less familiar with them. Workshop requirements: - A laptop with a web browser that does not have strict filtering in place (e.g. no white-list only corporate proxies) and an SSH client. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/M8GTGY/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/M8GTGY/feedback/ Workshop Room 2 Workshop - Short 2024-12-14T10:15:00+00:00 10:15 02:00 Log collection is the foundation of Security Operations. It is critical to have the correct host/application and a collection mechanism for events to facilitate correlation into SIEM/SOAR/XDR. Ineffective security events not only waste platform resources but also increase false-positive detections within a SOC; which then impacts moral and how long it take to triage an alert. Led by SIEM engineering specialists who boast a combined +20yrs experience with clients across government and industry, learn and try some of the best practices and tips that help some of the UKs most critical SOCs run smoothly. If you are playing with Security Onion, or building content and correlation rules, improve your effectiveness by only collecting the events you need…this is for you, take the trash out! bsides-london-2024-57021-taking-the-garbage-out Workshops Guy KramerKyle Pearson en The challenge to balance complete event coverage with efficient log onboarding is commonplace across Security Operations. Getting this balance wrong can lead to missing information in Events of Interest that would have provided context, even exclude some of the events being put in front of an analyst for triage. Conversely, excessive low value events can reduce the efficiency of the technology and overwhelm analysts. Greater awareness and understanding of the process and best practices for log source onboarding, parsing and correlation will lead to better transparency between engineering and operations. This increased cohesion can reduce false-positives, and positively impact MTTD and MTTR. In this workshop we will cover: Introduction to Security Information and Event Management (SIEM) tools, on-prem/cloud Common log sources and collection methods Best practices to identify - Use case definition - Log verbosity (inc scenario) - Log source documentation (inc scenario) RegEx Introduction (inc practical exercise) Review parsed example log source Log source collection (inc practical exercise) Tips / Tricks and lessons learned - CEF/Sigma - Mitre ATT&CK By understanding the principals above the security operations function will be more effective from SIEM engineering through to SOC analysts. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P7KJ9A/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/P7KJ9A/feedback/ Workshop Room 2 Workshop - Long 2024-12-14T13:00:00+00:00 13:00 04:00 Software Reverse-Engineering (SRE) is often considered black magic, but with the right tools and knowledge, its processes can be significantly accelerated. Unicorn Engine is a powerful framework that allows you to execute code platform-independently, which can greatly enhance your SRE skills. Applications, binaries, and frameworks often contain complex functionalities like encryption and decryption methods that are hidden from the user. Reverse-engineering these can be difficult and time-consuming, especially when they involve non-standard, proprietary or non-documented cryptographic functions. This is where Unicorn Engine comes in. It enables us to execute code dynamically without the need for the proper environment or hardware. By emulating the execution, we can analyse and understand the underlying operations, making the reverse-engineering process more effective. bsides-london-2024-54516-defeating-encryption-by-using-unicorn-engine Workshops Balazs Bucsay en With Unicorn Engine, you can dissect and manipulate code in a controlled environment. Whether you are dealing with malware analysis, software debugging, or vulnerability research, Unicorn Engine is an awesome tool in your reverse-engineering toolkit. This training will focus on reverse-engineering one or more binaries with Ghidra. Participants will identify various encryption or obfuscation functions and write code for Unicorn Engine in Python to utilise these functions without ever executing the binary. No special knowledge is required, but familiarity with Python, Ghidra, and x86/x64 assembly would be beneficial. The training will introduce Unicorn Engine to the audience and explain it in depth. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9NSRLS/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/9NSRLS/feedback/ Workshop Room 3 Workshop - Short 2024-12-14T10:15:00+00:00 10:15 02:00 Come join RevEng as we discuss the role of machine learning in expediting the art of binary analysis culminating in a CTF designed to show case how these tools can be used. So whether you are new, or a pro, to malware analysis and machine learning, we invite you to pop along, have some fun, and ask us as many questions as you'd like. bsides-london-2024-56962-malware-unmasked-supercharging-cyber-defense-with-machine-learning-magic Workshops David RushmerJames Patrick-EvansLloyd Davies en For over a decade security companies have been using machine learning to detect and protect against malicious binaries. Some have moved away entirely from traditional detection methods whilst others opt for a hybrid approach. Either way, sometimes they're right, sometimes they're wrong, and sometimes they've no idea what they've detected; luckily for them they've usually got security experts on hand. Attribution, accuracy, similar samples? These questions often fall on the shoulders of security experts and all of which can be time consuming to answer. "Your customer insists the file isn't malicious, let me take a look at that in more detail.", "I might not find any other samples because there is nothing overly unique." or what about "It might be group [x] because these two binaries share a few similar strings...". What if there was another way? Join us as we explore leveraging machine learning to aide researchers in malware analysis, attribution and threat hunting before putting these skills into practice by completing a small CTF challenge aimed at show casing what we think the future of binary analysis will look like. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/WLKFP3/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/WLKFP3/feedback/ Workshop Room 3 Workshop - Short 2024-12-14T13:00:00+00:00 13:00 02:00 Open-source tools offer a powerful, cost-effective solution for securing modern applications from development through deployment. This workshop will walk through key tools that help protect your entire stack—from securing your codebase, to monitoring cloud environments, and automating vulnerability detection. We’ll also discuss the strengths and limitations of open-source security tools, showing when they can be the perfect fit for your needs, and when proprietary or custom solutions may be more appropriate. Attendees will get habnds on with tools like OWASP ZAP, Trivy, Bandit, and Checkov to help them understand how to effectively incorporate these solutions. You'll leave with practical knowledge of the best tools for various security tasks and guidance on integrating them to protect your applications at every level. bsides-london-2024-56785-from-code-to-cloud-securing-the-stack-with-open-source-tools Workshops Mackenzie Jackson en Open-source tools have become essential in today’s cybersecurity landscape, offering comprehensive, low-cost solutions for securing modern applications. From securing codebases to protecting cloud environments, these tools can help organizations achieve full coverage without massive investments. However, while open-source tools offer significant advantages—such as flexibility, community support, and transparency—there are also scenarios where they fall short, such as scalability issues, lack of enterprise support, and specific feature gaps. In this workshop, we’ll explore the full spectrum of how open-source tools can be leveraged to secure your applications from development to deployment—covering both the code and cloud layers. We’ll walk through specific tools like: -OWASP ZAP for web application scanning, -Trivy for container security, -Checkov for threat detection in cloud assets -SemGrep, Bandit and Brakerman for SAST Through hands-on experimentation you will see these tools in action and learn how they can be integrated into your development pipeline to enforce security at every stage. We’ll also dive into real-world examples where open-source tools excel—and where they may not always be the best fit. By the end of this session, you’ll walk away with practical strategies to secure your application’s entire stack with open-source tools, as well as an understanding of the limitations to be mindful of. This talk is ideal for security engineers, developers, and DevOps teams looking to improve their security posture using open-source solutions. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/8EK7GF/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/8EK7GF/feedback/ Workshop Room 3 Workshop - Short 2024-12-14T15:30:00+00:00 15:30 02:00 In this two-hour hands-on workshop we will show attendees how to build their own EDR/XDR/MDR platform leveraging open-source tools. Attendees will learn to deploy cross-platform EDR sensors, how to use sigma detection rules, write custom detection rules, and leverage open source adversary emulation tools ( Atomic Red Team) to test new them. We will then discuss how to extend these capabilities for investigations and threat hunting by integrating additional open source or free tools to gather additional telemetry such as Sysmon and Velociraptor. bsides-london-2024-55416-roll-your-own-edr-xdr-mdr Workshops Ken WestinJessica Crytzer en In this two-hour hands-on workshop we will show attendees how to build their own EDR/XDR/MDR platform leveraging open-source and free tools. Attendees will learn to deploy cross-platform EDR sensors, how to use sigma detection rules, write custom detection rules, and leverage open source adversary emulation tools ( Atomic Red Team) to test new them. We will then discuss how to extend these capabilities for investigations and threat hunting by integrating additional open source or free tools to gather additional telemetry such as Sysmon and Velociraptor. false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/CUUGBR/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/CUUGBR/feedback/ Workshop Room 4 Workshop - Short 2024-12-14T10:00:00+00:00 10:00 02:00 In this 2-hour interactive workshop, we will dive into the world of Application Security with the perspective of one of the most iconic tech-savvy superheroes: Iron Man. Like Tony Stark, who continuously refines his armor to fend off evolving threats, we will explore how developers, security champions, and engineers can fortify their applications against vulnerabilities. The session will cover the full spectrum of Application Security, from threat modeling and secure coding to incident response, framed within the tech innovation and constant iteration that Iron Man embodies. Attendees will learn practical approaches to building robust security mechanisms into their software development lifecycle (SDLC), while maintaining agility in the face of new threats—just as Iron Man does with his suits. Through engaging analogies, real-world examples, and actionable takeaways, participants will leave with a superhero’s toolkit to defend their applications from vulnerabilities, automate their defenses, and respond swiftly to incidents. Key Topics: Threat Modeling: Understanding the foundational elements of secure software. DevSecOps: How to protect core application components from critical threats. Vulnerability Management: Proactive vulnerability management process. Application Monitoring: Incident response tactics that mirror Iron Man's agility in combat. Get ready to suit up and protect your applications with the same ingenuity and foresight as Iron Man! bsides-london-2024-56484-the-appsec-lessons-from-iron-man Workshops Cássio Pereira en Step into the shoes—or rather, the suit—of Iron Man as we explore the dynamic world of Application Security. In this 2-hour workshop, you'll learn how to protect your applications with the same innovative strategies Tony Stark uses to shield his tech from relentless attacks. This workshop is designed for developers, security engineers, and security champions who want to understand and implement security practices that are both robust and agile. We’ll cover every aspect of Application Security, from the fundamentals of secure coding to the latest automated defenses, all framed through the lens of Iron Man’s constant innovation and real-time problem-solving. You’ll uncover how to: Develop “armor” for your applications by integrating security from the start. Protect the “arc reactor” of your system—its most critical components—from the most dangerous threats. Improve your “battlefield awareness” with threat modeling and continuous vulnerability scanning. Automate and scale your defenses using cutting-edge security tools. Respond swiftly and effectively to incidents, with agility and precision, just like Iron Man in the heat of battle. This engaging, workshop will not only provide practical insights and strategies but also inspire you to approach Application Security with creativity and foresight. By the end, you’ll be equipped with the tools and mindset to defend your applications like a true tech superhero. Prepare to suit up—your journey to becoming an Application Security hero starts here! false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/KA9T8N/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/KA9T8N/feedback/ Aerospace Village Workshop - Long 2024-12-14T08:30:00+00:00 08:30 09:00 The Aerospace Village is a volunteer team of hackers, pilots, and policy advisors who come from the public and private sectors. We believe the flying public deserves safe, reliable, and trustworthy air travel which is highly dependent on secure aviation and space operations. Our mission is to Build, inspire, and promote an inclusive community of next-generation aerospace cybersecurity expertise and leaders. We invite you to play with Bricks-in-the-Air, an interactive activity that uses a Lego aircraft model to demonstrate aviation system fundamentals. bsides-london-2024-58995-aerospace-village Aerospace Village en The Aerospace Village is a volunteer team of hackers, pilots, and policy advisors who come from the public and private sectors. We believe the flying public deserves safe, reliable, and trustworthy air travel which is highly dependent on secure aviation and space operations. Our mission is to Build, inspire, and promote an inclusive community of next-generation aerospace cybersecurity expertise and leaders. We invite you to play with Bricks-in-the-Air, an interactive activity that uses a Lego aircraft model to demonstrate aviation system fundamentals. true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MKVAAJ/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/MKVAAJ/feedback/ Car Hacking Village Workshop - Long 2024-12-14T08:30:00+00:00 08:30 09:00 Car Hacking Village bsides-london-2024-58994-car-hacking-village Car Hacking Village - en Car Hacking Village true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/JK9H3M/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/JK9H3M/feedback/ Lock Picking Village Workshop - Long 2024-12-14T08:30:00+00:00 08:30 09:00 Ever wondered how a lock works inside? Already know, and want to up your picking game? Come and meet the experts from TOOOL UK at the lockpicking village. The Open Organisation Of Lockpickers are a multinational group dedicated to defeating locks for fun and games. Learn to beat a pin tumbler lock, see inside various locks, padlocks and, er, even more locks! Come and play with locks! bsides-london-2024-58989-lock-picking-village Lock Picking Village Moon On A Stick & Bristol Locksport en Ever wondered how a lock works inside? Already know, and want to up your picking game? Come and meet the experts from TOOOL UK at the lockpicking village. The Open Organisation Of Lockpickers are a multinational group dedicated to defeating locks for fun and games. Learn to beat a pin tumbler lock, see inside various locks, padlocks and, er, even more locks! Come and play with locks! true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/K8BP7H/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/K8BP7H/feedback/ Malware Village Workshop - Long 2024-12-14T12:30:00+00:00 12:30 05:00 In Malware Village, we will host various contests and workshops focused on malware analysis. Participants can experiment with and analyze malware under the guidance of professionals. The full Malware Village* currently features three contests: MARC I (Malware Analysis Report Competition) BOMBE (Battle of Malware Bypass EDR) EMYAC (Efficient Malware YARA Analysis Competition) *In BSides London, we only have 4 hours, so we will host a subset of Malware Village. bsides-london-2024-57020-malware-village Malware Village Lena Yu en Details are on the Malware Village website: https://malwarevillage.org MARC I & BOMBE Details on DEF CON forums: https://forum.defcon.org/node/249321 false https://cfp.securitybsides.org.uk/bsides-london-2024/talk/THJBVS/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/THJBVS/feedback/ Quantum Village Workshop - Long 2024-12-14T08:30:00+00:00 08:30 09:00 Quantum Village bsides-london-2024-58990-quantum-village Quantum Village -Quantum Village en Quantum Village true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/3CE8QD/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/3CE8QD/feedback/ Train Hacking Village Workshop - Long 2024-12-14T08:30:00+00:00 08:30 09:00 Train Hacking Village bsides-london-2024-58991-train-hacking-village Train Hacking Village -Train Hacking Village en Train Hacking Village true https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7PHCEH/ https://cfp.securitybsides.org.uk/bsides-london-2024/talk/7PHCEH/feedback/