Security BSides London, the UK’s biggest community-driven infosec conference is happy to announce its 8th iteration open to all regardless of background, skill level, income or job-title.  
  • Doors to the main event open at 8.30am with talks starting at 9am on 6 June 2018
  • Workshops will be held on 5 June 2018 starting at 10am; Pre-registration is required
Please remember that Security BSides London has a strict code of conduct available here.

Log in to bookmark your favorites and sync them to your phone or calendar.

Track 3 [clear filter]
Wednesday, June 6

11:15 BST

Mr Sandman: Timelock puzzles for attack and defence
Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have included Windows API calls, and short, simple loops involving assembly, counters, or loading libraries. However, security tools are increasingly able to detect and prevent these techniques, using methods such as accelerating time, returning false tick counts, intercepting API calls, and performing multipath execution. As a result, attackers are constantly striving to find new and creative ways to delay execution. Delayed execution is also of some interest to defenders, who try to implement it, in either manual or automated solutions, in order to frustrate the attack models of bots, botnets, and spammers.

Enter the timelock puzzle - a relatively unknown cryptographic construct whereby a puzzle is presented, the solution to which requires a certain amount of time or computational effort. Historically, timelock puzzles were proposed for benign applications, such as sealed auction bids, escrow, and the timed release of confidential information. However, they provide an interesting method of delayed execution which to date has been underexplored in security research, particularly as an offensive methodology. Specifically, they may present a significant challenge in malware detection and analysis, particularly for automated solutions such as sandboxes.

In this talk, I cover the history of timelock puzzles and their proposed applications for offence and defence, and examine some case studies. I then demonstrate several timelock puzzles which I have developed, including some novel constructions, and show through demonstrations how they can be weaponised - including both process hollowing within executables, and within VBA macros. For each construction, I explore the advantages and disadvantages for both attackers and defenders, and explain how they work, and why. I then turn to prevention and detection, presenting a heuristic model for generic detection of timelock puzzles, and cover the defender's perspective in the form of attacks against timelock puzzles, including parallelisation, predictability, and enhanced computational processing.

I then cover the challenges and feasibility of using timelock puzzles for good, discussing some of the models presented in previous work and a real-world case study where timelock puzzles could have been used to significant effect, break down a proof-of-concept defensive timelock puzzle I created, and some of the issues identified with it from an attacker's perspective.

Finally, I assess the practicality of timelock puzzles for both attack and defence, share some lessons learned from this research, and outline suggestions for future research in this area.

avatar for Matt Wixey

Matt Wixey

Matt leads on vulnerability R&D for the PwC Cyber Security practice in the UK, working closely with the Ethical Hacking team, and is a PhD candidate at UCL, in the Department of Security and Crime Science and the Department of Computer Science. Prior to joining PwC, Matt led a technical... Read More →

Wednesday June 6, 2018 11:15 - 12:15 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD

12:15 BST

OODA Loops: Ctrl+Break the Attack Cycle
The OODA (Observe – Orient – Decide – Act) loop is a conceptual model of human decision-making that we all use whether we are aware of it or not. Originating in military strategy, it is especially relevant when two parties have opposing goals as it makes it possible for one side to exploit flaws in their adversary’s decision making process; conversely, understanding the OODA loop allows one to protect the integrity of one’s own decision making.

This talk will briefly introduce the concept of OODA loops and explain why they are both relevant and useful in an infosec context through a number of case studies showing how the model can be applied to real-world attacks. It will describe typical OODA loops used by both attackers and defenders then explain how attackers’ OODA loops can be disrupted to reduce dwell time and frustrate them in achieving their objectives.


Abel Toro

Abel Toro is a Security Researcher with Forcepoint Security Labs' Special Investigation team focusing on reverse engineering, malware analysis and threat intelligence especially tracking existing groups, analysing their infrastructure and toolchain as well as uncovering new ones... Read More →

Wednesday June 6, 2018 12:15 - 12:45 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD

13:30 BST

CVSS - The Good, The Bad and The Ugly.
Human nature looks for shortcuts and can lead to “lets focus on the critical and high vulnerabilities then we may be able to fix the others later” which is a classic cause of technical debt.  From a simple logic perspective this makes sense but fails to address chained vulnerabilities that represent a high or critical vulnerability, but individually are less impactful.  CVSS scoring has its place, but its not a pure numbers game when it comes to securing your systems, you need to think more like a hacker in defending your information.
At MoJ I break things and find out how secure systems really are, in Feb 17 I found a high severity vulnerability in a high end Cisco data centre device.  This was a CVSS8.8 but became several low risk vulnerabilities when disclosed to Cisco through responsible disclosure.

avatar for Greg Smith

Greg Smith

Ministry of Justice
Greg currently works as for the Ministry of Justice where he is employed as a Senior Security Engineer within the Digital & Technology team, working closely with other government departments including GDS & NCSC. His role encompasses penetration testing, security monitoring and implementation... Read More →

Wednesday June 6, 2018 13:30 - 14:00 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD

14:00 BST

Learning The Ropes : Breaking into the Industry
For a lot of people, the industry of security is very exciting and there's always so many talks about how there's a skills shortage, we need more people! Well I saw the opportunity a few years ago and wrote a primer book on helping folks get into the industry, however 3400 copies later I've learned a lot more via reader feedback and want to give back some more to the community.

So with that said, this talk will take you on a journey of how I and many of my friends/followers/colleagues got into the industry, it will discuss the best ways to land your first job and how to effectively keep up with an ever-evolving landscape. It won't be a super technical talk but will touch on some technicalities  of how to get through x and y.

avatar for Andy Gill

Andy Gill

Pen Test Partners
I am an old school hacker at heart, who's always been interested in taking things apart and sometimes even putting them together again(in-fact he spent a good 5 years in computer repair and data recovery). As my day job I  work as a senior penetration tester but in my nights I can... Read More →

Wednesday June 6, 2018 14:00 - 14:45 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD

14:45 BST

The (Great) Web Application Firewall: What Is It And Is It All That?
In this talk, I describe my firm's journey from having all of its (100+) web applications exposed to the internet with zero protection, our journey from a chronic DoS incident, through to a trial, error and final success story of holding back the bad guys. Is it perfect? No. In the talk I'll discuss the pros and cons.

avatar for Michael Thompson

Michael Thompson

Zen Internet
I’m Mike and I’m an information security analyst, working for a mid-sized UK based telecoms and internet service provider. My role includes threat analysis and management, proactive web application, infrastructure and network security, as well as risk and compliance management.There... Read More →

Wednesday June 6, 2018 14:45 - 15:15 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD

Twitter Feed