Loading…
Security BSides London, the UK’s biggest community-driven infosec conference is happy to announce its 8th iteration open to all regardless of background, skill level, income or job-title.  
  • Doors to the main event open at 8.30am with talks starting at 9am on 6 June 2018
  • Workshops will be held on 5 June 2018 starting at 10am; Pre-registration is required
Please remember that Security BSides London has a strict code of conduct available here.

Log in to bookmark your favorites and sync them to your phone or calendar.

Track 1 [clear filter]
Wednesday, June 6
 

10:00 BST

Hacking SCADA - How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code
Hacking SCADA, or more commonly ICS is serious business, unlike other areas of offensive security one mistake can cost lives. Mike and Matt will present their ICS research, walk through caveats, protocols and show some demos. We will also show how you can start researching industrial systems safely and cover what you need to know to not get someone killed. We will also share the story and method behind how we cost a company £1.6M in lost earnings with only 4 lines of code. We will not be showing exploit code as we believe given what's at stake, it's highly irresponsible, what we will do is give responsible researchers the knowledge they need to get involved and start helping to secure critical infrastructure.

Speakers
M

Matt

Head of R&D, Insinia
Matt (@sekuryti) is currently head of R&D at Insinia Security. Matt's previous roles included senior penetration tester and researcher at SecureLink, Europe's largest managed security services provider and Operational Security Specialist at Ikea overseeing worldwide Operational Security... Read More →
M

Mike

Director, Insinia
Mike (@mikeghacks), Director of INSINIA Security, started life as a “hacker” before he had hit his teens. Mike has a professional background in Electro-technical / Electro-mechanical Engineering and almost 20 years’ experience in building and breaking computers.Mike offers a... Read More →


Wednesday June 6, 2018 10:00 - 11:00 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

11:15 BST

OpSec for Hackers - What You Need to Know to Not Get Caught, Leveraged or Pwned
They say Crypto is hard, OpSec is harder. This talk will combine proper operational security techniques with Porthunters experience in the field, you will walk away with practical OpSec know-how and ideas on how your operations can be more secure. We will cover the heros, loosers and funny stories from the world of OpSec.

Speakers
P

porthunter

Porthunter has worked in OpSec and offensive security roles for some of the worlds largest corporations. Porthunter is a guest lecturer on offensive security at Malmö technology university, a keen CTF player (xil.se) and founder of FR13NDS (Global Hacker Collective). Porthunter now... Read More →


Wednesday June 6, 2018 11:15 - 12:15 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

12:15 BST

How to take over a production system in the cloud
One misconfigured line of code results in anyone in the world being able to destroy or take over a production system in the cloud...

Paul presents examples and demonstrations of real life cloud security issues based on his experience working on cloud migration projects and operational cloud applications for both public and private sector organisations.

He then discusses the root causes of these issues, and how best to mitigate cloud security risks, looking not only at technical controls such as automated testing and compliance enforcement, but also aspects such as knowledge, training, culture and organisational structure. 

Speakers
avatar for Paul Schwarzenberger

Paul Schwarzenberger

Celidor
Paul is a Cloud Security Architect and DevSecOps specialist with 15 years experience leading a wide range of security engagements and cloud migration projects for customers across sectors including financial services, telcos, pharmaceutical, education, and UK Government.Paul has numerous... Read More →


Wednesday June 6, 2018 12:15 - 13:00 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

13:30 BST

How I break into Casinos, Airports and CNI: The Basics of Social Engineering
This talk will be about the basics of social engineering into a client’s site/office. I think most SE talks focus on the more technical “human” aspects and I’m purposefully ignoring that side as I think the audience can often get scared by thinking they have to learn every facial micro expression to get into a client’s office successfully. So, I’m going to focus on the basics, how to perform reconnaissance, how to match dress styles, how to make up a pretext that fits your knowledge, how to get real staff to help you, what to do if you do get in, why you should interact with staff, why you should practice being observant, and why you should leave people feeling better for having meet you (Chris Hadnagy taught me this).

Speakers
avatar for Chris Pritchard

Chris Pritchard

Pen Test Partners
Chris has worked in a range of industries, most notable of which are Critical National Infrastructure and leading edge design and manufacturing. Doing so has given him a huge array of knowledge, from penetration testing robot vacuum cleaners to designing and testing secure ICS/SCADA... Read More →


Wednesday June 6, 2018 13:30 - 14:00 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

14:00 BST

Deep Dive on the Dark Web
Regardless of skill, anyone with an internet connection can stitch together a complex attack with very little effort. Organisations must understand their adversaries, both skilled and unskilled, in order to protect against all manner of threats. This presentation will demonstrate the tools available for purchase on the dark web, how easy it is to acquire them and how they can be used to target individuals and organisations both large and small.

Speakers
avatar for John Shier

John Shier

Sophos
John Shier is a Senior Security Advisor working in the office of the CTO doing research into all manner of threats and security issues. John is passionate about communicating and popularizing security concepts and technologies to customers, partners, and the public at large in an... Read More →


Wednesday June 6, 2018 14:00 - 14:45 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

14:45 BST

Circumventing egress filtering by exploiting HTTP “transfer-encoding: chunked” for faster web shells
During a red team engagement we breached a web server that only allowed HTTP inbound and no outbound connections. While able to upload web shells, reverse shells were unable to establish a connection back to us and as all ports were firewalled, bind shells were not an option. Furthermore, the only existing tool we were aware of TUNNA proved to be too slow for practical
exploitation. In this talk we'll introduce ChunkyTuna, a web shell which allowed us to pivot through the compromised server and reach further into the target network. ChunkyTuna began as a reengineering of TUNNA which utilizes the "transfer-encoding: chunked" HTTP mechanism rather than a constant poll loop with request/response pairs. In effect ChunkyTuna piggybacks an existing HTTP connection to offer near direct access to either the STDIO streams of an arbitrary process or the IO streams of an arbitrary TCP port, in a manner similar to the streaming of a media file with unknown content-length.

Speakers
avatar for Lorenzo Grespan

Lorenzo Grespan

Secarma Ltd.
I’m a computer scientist turned penetration tester; I’ve been a systems administrator, a developer and a project manager in medical robotics as well as researcher in computational neuroscience and evolutionary and adaptive systems. I like to solve interesting problems.


Wednesday June 6, 2018 14:45 - 15:15 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

15:15 BST

Breaking into Embedded Devices and IoT Security
Embedded devices and IoT have received a lot of bad press over recent years. The problem with embedded devices and IOT is that the ever-growing number of Internet connected devices greatly increases the chances of attackers achieving exploitation by discovering security weaknesses. For example, the Mirai botnet reached record breaking DDoS speeds in excess of 650 GBps back in 2016, by exploiting default logon usernames and passwords in commonly used home routers and Internet connected cameras.
This talk aims to cover how to get started finding and exploiting vulnerabilities in embedded devices and IoT. Along the way, the audience will learn some of the hardware and software tools of the trade, how to get started, common attack vectors, responsible disclosure, and how IoT overlaps somewhat with OT/ICS security challenges.

Speakers
avatar for Andrew Costis

Andrew Costis

LogRhythm
Andrew Costis (“AC”) is a Threat Research Engineer within the Labs team at LogRhythm. AC has over 17 years of professional experience working in various technical capacities. AC spends his days performing incident response, forensics, malware analysis and reverse engineering... Read More →


Wednesday June 6, 2018 15:15 - 16:00 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

16:15 BST

Random Problems in IoT
Random Numbers are important. Really f***ing important! Yet, they are so often misunderstood. Decent Random Number generation is relied upon by large chunks of our cryptographic wizardry, and yet mistakes are repeatedly made - and we're seeing these mistakes bleeding into IoT.
With the proliferation of 'smart' devices, what affects the security of these devices could affect anything from lightbulbs to pacemakers. The author's own research has found some real problems with embedded devices generating random numbers, some proposed fixes, and then some problems with those for good measure.
We will present an overview of what 'random' is (with little to no scary maths), the current state of the art, and overview of embedded devices RNG's, our assessment results, and how things can move forward.
This talk will give you:
  • A solid overview of the basics of RNG
  • Some handy hints and nifty tricks for understanding what 'random' really is
  • An overview of the well-known problems in embedded/IoT RNG's - microcontrollers and SDK's just doing it wrong
  • An assessment of what fixes are available - which ones we found issues with, and which seem to work better
  • HSM's and other solutions we look to assess
  • What manufacturers, vendors, compliance bodies, and developers can do
This talk is suitable for people of any technical level, but is aimed at those with an interest in IoT security, cryptography, and hardware.


Speakers
avatar for Mark Carney

Mark Carney

Security Research Labs
Hacker & Math guy, formerly a Musician; Having started out on helpdesk in a software firm, then becoming violinist with a degree in Music w/ Philosophy via being a DBA for a firm, Mark then went on to do an MSc and now full-time PhD study in Mathematics. This rounded off several years... Read More →


Wednesday June 6, 2018 16:15 - 17:15 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

17:15 BST

Solving Threat Detection
Why do organisations fail so badly at threat detection? Despite chucking tons of cash at staff and magic next-gen ML products, detection teams rarely deliver reliable, high quality, tangible results. Where are we going so wrong?

This talk will step through key issues such as re-inventing the wheel syndrome, why information accumulation/sharing matters, the traditional SOC model and detection priorities, building/retaining awesome employees and an honest look at the state of detection tooling (and often underestimated deployment hurdles).

Although perhaps surprising, many issues actually have simple solutions which will be discussed through-out the talk. Technical examples will be used to quantify the challenges and how solutions can work in the real world, with lessons learnt coming straight from the experiences of the Countercept hunt team.

Speakers
avatar for Alex Davies

Alex Davies

Countercept
Alex Davies is the TechOps Lead for the UK hunting team at Countercept. An attacker turned defender, Alex spends his days picking apart the entire kill chain and figuring out how to detect each and every step taken. He also has a passion for all things webapp and is a long term bug... Read More →


Wednesday June 6, 2018 17:15 - 17:45 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD

17:45 BST

Closing
Wednesday June 6, 2018 17:45 - 18:00 BST
Track 1 ILEC Conference Centre 47 Lillie Road London SW6 1UD
 

Twitter Feed