BSides is a community driven event and all talks have been voted on to ensure a day of technical geekery and passion - without the sales pitches. When you come to a talk a BSides Liverpool be assured they will be informative and entertaining.
Keynote Opening - Omri Segev Moyal - Minerva
Focus on your malware, Not Infrastructure!
Malware analysis is one of the most exciting yet daunting tasks in the security research world. A typical researcher spends countless hours and sometimes days to dissect malware and exploits. To keep up the pace (and sanity) many automation tools have been built to help with different kind of tasks. Usage of such tools brings a massive problem of maintaining working and secure infrastructure. An infrastructure often operated in very hostile environments. This problem causes researchers to spend too much of their time and resources on the infrastructure instead of spending it on their target goal. In this talk, we will learn how every malware analyst can start rapidly using serverless technology to make their life easier. We will dive into a serverless open source project called MalScanBot. Learn how it was built and how it can be used as a template for many other interesting project. Because as a researcher you should always Focus on your malware, Not Infrastructure.
Keynote Closing - Finux Machiavelli's guide to InfoSec!
So security is difficult. We know this. Governance of security isn't easy either. This talks looks at how security governance of company/organisation is a lot like managing a city state during Niccolo Machiavelli's time. What lessons can we learn from The Prince, one of the first amoral guides to governance? As anyone who has attended any of my other history inspired infosec/hacking talks, this won't be what you were expecting 😉
The Beer Farmers
In this talk, we discuss the lengths some organisations go to, in order to protect personal data, as opposed to those that say they do, once the personal data they were responsible for has been flooded onto the Web.
It's a tale of breach after breach after breach, laced with some hope that certain firms are at least trying to do the right things. We all make mistakes, but we should at least give it our best shot at avoiding doing so.
There'll be humour and music, as well as a very clear message that while many firms are doing the right things, there's a long way to go. Ian and I will combine to deliver something hopefully entertaining, as well as current and educational.
Ian Davies - Grafton PLC
My total exposure to Information Security or Cyber Security between 2003 and 2013 was the occasional jolly to listen to James Lyne when he was at Sophos or attend a one-off freebie workshop with a company who were trying to sell their wares. I thought that to be part of Cyber Security you had to be the best of the best, able to write code blindfolded whilst juggling USB Drives and reading assembly language like you were reading a book. To be fair, that’s what most of my colleagues thought I was doing when I went to do EC Council’s Certified Ethical Hacker… (waits for giggles and groans)
We have to change the way we engage with and deal with corporate IT staff whether they are our customers, or our colleagues. We have to get rid of the elitism that permeates the domain and the subject. I was so excited about doing CEH and when I came back and decided to announce my success, I was pretty much ridiculed… a less confident person could have been completely dejected and consequently rejected this field out of hand as a career choice.
Yes, it’s a misleading course title with some fairly erroneous content, but I now know much more about the subject than I did before I took that course and I chose to go on and learn more. Rather than ridicule, should we not encourage – if someone has taken the time to do that, or done some self-study, or asked a question, however misguided you think they are, should we not be encouraging them, helping them and driving them to look in more detail at the stuff they just learned or are trying to learn? I came back from that course and demonstrated some simple things, the use of a simple RAT, AV Bypass, a reverse TCP session using Metasploit. I’d learnt that from the course that had been so ridiculed. None of the people I showed had seen anything like it or would have believed you if you told them it was possible. None of them knew that all the software required to repeat the demos was available online for free with tutorials. How can we possibly be doing a good job if a large portion of the people protecting our infrastructure don't know about this stuff? If all we are doing is writing, implementing (and forcing) technical controls we are fighting a losing battle – I believe that we need to change attitudes.
Tomer Hadad - EY Cyber Security Center Israel
Imagine that you're using an iOS app which holds you back with some restriction. It could be a "touch ID" or "enter PIN" screen, an authentication screen, authorized/paid only content or even a sophisticated Jailbreak detection. How would you bypass this?
Often, bypassing restrictions in a black-boxed environment such as an iOS app, requires a time-consuming combination of digging through classes, tracing methods and hooking them. But as time goes by, we need to find novel approaches to do more, with less (time, effort, resources...).
In this talk I shall present the concept of gaining full control over standard iOS applications' client-side functionalities, by controlling the application's view controllers and storyboards; plus, present a free open-source tool which does all of this for you. I will present demos and real life cases of successfully using this approach and my tool.
By the end of this talk you should be able to bypass restrictions such as the above - in less than a minute.
Dungeons and Datacentres: Dilemmas and Thoughts in Social Engineering
Talk covering some of the recent work I've been doing to develop SE approaches, sources/methods I've used and key things to bare in mind when approaching SE engagements. Intended to build upon the Basics/SE 101 that have been covered in-depth by others. Key topics:
- OSINT Foundations - Down the Rabbit Hole
- Preparedness vs Spontaneity Dilemma and building your pretext.
- Suspicion Boundaries/Too Good To Be True Dilemma
- Flow & Rapport - some lessons from Improv
- SE to leverage more than just human vulns.
Martin King - The Football Pools
This is not the career you are looking for
A career in IT; the pathways available, how to find yourself a mentor and what personal traits you can use without having to be a jedi or a ninja.
Warren Mercer - Cisco Talos
Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company.
Kashish Mittal - MileIQ, Microsoft
One Man Army
Playbook on how to be the first Security Engineer at a company How often have you heard that 'Early stage startups don't care much about Security because if there is no product, there is nothing to secure?' Although there is merit in the argument that startups need to build product so as to sustain and grow, it often puts the person in charge of securing them in a tricky position. For most startups, this person is the first Security Engineer who can be somewhere between the 10th to 300th employee. By the time the first Security Engineer is on-boarded the attack surface has usually become quite large and he or she faces an uphill battle to go about securing the organization. In such cases, the Security Engineer needs to perform as a 'one-man army' keeping the attackers at bay. In this talk, i will present a playbook on how to perform as one.
Ian Murphy - LMNTRIX
The logs don’t work they just make it worse
Talk will lay the foundation of what most SIEM and SOC implementations have been sold on “the needle in a haystack” technique and why this is no longer viable to detect attackers and known malware that regularly bypasses controls. It will address the double edged sword of the human element and also where most organizations current thinking is when it comes to protecting the business.
Saher Naumaan - BAE
An APT Revenge: How attackers respond to disclosure.
Government and industry bodies have invested significant effort in understanding the threat landscape in order to defend their interests in cyberspace, but the issue of how defensive action can influence attacker behavior is poorly understood. This presentation seeks to explore the question: how do attackers respond to investigation into their operations? We will review the ‘spectrum’ of response options and changes that attackers have made to their operations following incident response cases and public reporting (and attribution) of specific groups. Responses range from defensive (‘go quiet’) to aggressive (threats or targeting of researchers), and include a multitude of change-ups in tactics, techniques, and procedures in between. This analysis will draw on evidence from numerous examples both from our investigations and cases from open sources to cover high priority threat groups faced by the public and private sectors as well as unintended consequences of disclosure.
Veronica Valeros, Jan Fajfer - Stratosphere
Emergency VPN - Analyzing Mobile Network Traffic to Detect Digital Threats.
Abstract: Journalists, human rights defenders and activists rely on mobile phones for their security and safety more than most others. They need to communicate highly valuable information, report news, and stay in touch with their families and news sources while in areas of conflict. Since governments and attackers know that, they constantly attack their phones. Any security issues in their phones put them in real danger.
In this session we will present the Emergency VPN service, a free service from the CivilSphere Project that provides a free security analysis of mobile devices network traffic to determine if the phone is infected, under attack, or compromised. We will explain how the Emergency VPN works, what type of data do we capture, the analysis workflow and show examples of the final report sent back to the users. We will also show a list of vulnerabilities and security problems identified in the last year of work, and try to show how malware is not, in most cases, the biggest risk users are exposed to. We expect that at the end of this talk attendees leave with a more clear vision of how digital threats work on mobile environments.
Raashid Bhat - Spamhaus
Internet bots have been widely used for various beneficial and malicious activities on the web.Recent studies in social media spam and automation provide anecdotal argumentation of the rise of a new generation of spambots like heodo, necrus and tofsee. we extensively study the ecosystem of spambots and we provide quantitative evidence that a paradigm-shift exists in spambot design . Spam is probably the biggest vector of infection for both commodity and targeted malware. One of the reasons it has earned this position is thanks to spam botnets, malware that has only one job: to send as many malicious mails as possible. Most of these bots operate for years and are very resilient to takedowns, largely due to their complicated infrastructure and protocols.
we benchmark several advance techniques used by spambots today for Proliferation and lateral movement . Their Proliferation techniques include techniques includes advance methods , so that spambots stay undetected by endpoint security . We also describe their ecosystem and show how Spambots are used for other criminal activities other than juts spam for eg Mining, POS infection . We extensively detail how compromised computers create many revenue opportunities for spammer, who can sell them for bitcoin mining, click-fraud, spam distribution, and other services.
In recent years ‘takedowns’ of spambots is starting to diminish. We details how these spam bots have their network defenses and SOS’s to make take down defenses ineffective . Malware distribution is no longer a sideline for spammers , but the core business model. It is not about volume but clicks. we also did an extensive research on monetization approach of spammers behind these spambots
Spambots act as a delivery mechanism for various other botnets as well , this paper will explore how there is an overlaps not only between the distribution , but also the revenue sharing of these botnets . Meanwhile keeping the network endpoints of these spambots under scrutiny, some of the participating criminal providers were uncovered , we detail how these hosting providers are facilitating the distribution and working of these spambots
Session attendees will gain a clear understanding of Spambot ecosystem , the infection vectors and social engineering tricks deployed by the criminals that make it successful, and how one can better prepare for spambot attacks.
Stuart Peck - ZeroDayLab / Many Hats Club
How not to respond to incidents
If you look at the headlines, there are winners and losers when it comes to crisis communications dealing with a plethora of breaches and incidents. Most organisations don't have a solid incident response plan, and when they do it is poorly executed, especially when dealing with the Infosec community. This talk draws down from years of experience of being an incident responder/manager for a range of high profile breaches.
In this talk you will learn:
- How not to panic! Why taking a little extra time to review what is, and what is not actually happening is vital. Perspective for the win.
- What actions you should be performing in the first 60 minutes- known as the "Golden Hour", which set the tone and outcome of Incident Response
- Why Attribution is hard, and should you focus on it initially?
- Overview of the Incident Response Pyramid of pain, with questions you can ask your organisation to judge maturity in dealing with simple and complex incidents.
- How not to communicate a breach- some vital lessons for external and internal crisis comms
- Finally some take aways and materials for building Incident Response plans, run books and tools for threat hunting.
Andrew Costis - Carbon Black
Living off the Land binaries aka “LOL bins” have been an integral part of various operating systems, but when malware strikes, common LOL bins are often exploited in order to carry out attack techniques such as persistence or exfiltration in order to advance the attack. This talk aims to discuss the purpose of LOL bins, and will walk through some examples of recently observed commodity malware campaigns that leverage LOL bins, their associated MITRE ATT&CK ID and behavior, and why ATT&CK is relevant in the context of LOL bins and malware, as well as in a more broader context.
Chloe Messdaghi - BugCrowd
Every security tester has some sort of methodology and toolset they use. This "secret sauce" is the essence of good security research. BountyCraft the panel is about disclosing those secrets. The panel will talk through the successful tools and techniques used by the panelists, what do they focus on, and why. They will discuss topics such as advents in tooling, approaches to different types of applications, reconnaissance, vulnerability trends in bounty, and more. Viewers will leave this presentation with knowledge of practical recommendations for hacking methodologies, tools, and tips to better hack. The panelists will talk through vulnerabilities commonly seen as edge cases that have been present on heavily tested sites, and what are the upcoming challenges in the space.
This talk focuses on the current and future of bounty hunting and web hacks that bug hunters or penetration testers can be knowledgeable of what the various environment trends. We will be going over the changes to the web attack landscape and how web hackers, can better find bugs in the web applications that are currently being developed.
- Jason Haddix
- Anonymous Hunter 1
- Anonymous Hunter 2
- Chloé Messdaghi (Moderator)
Having created a CTI service from a greenfield and led multiple CTI teams, I have experienced the pain of the BUZZWORD known as CTI. Many contacts of varying experience and skill have inquisitively asked me WTF is CTI? Cyber Threat Intelligence is a fusion of the art of intelligence and that of a cyber security analyst. The role of a CTI analyst is fantastic in that an individual from a 'n00b' off the street to a senior malware reverse engineer can become a CTI analyst and should be considered a step backwards. The CTI team spans other teams from level 1 SOC to CISO (And beyond) and acts as a transit route to many other fantastic roles within Cyber Security.
The workshop is aimed at introducing those not in the CTI field or who are still trying to grasp it's capabilities. During the workshop we will go over the components of a CTI team, it's I/O, methodologies, tools and more. The workshop will span non-technical and technical tasks; for those with little to no cyber background it will push their capabilities but allow them to gain insight in to the potential. For those more technical it will allow them to understand the data flows of information (Info != Intel) and be better SOC analysts, Malware RE, Forensic Investigators' etc
How can we be private in an age of convenience?
How does the digital space impact real life?
How to become a rational cypherpunk
My talk will cover many conversational topics and thought-provoking ideas about how we treat digital privacy in an age where our entire lives have been seemingly taken over. I aim not only to educate the people in my talk, but to get them really thinking about this often controversial topic and to provide the base (and resources) for further research. Simply because of the nature surrounding privacy, I hope to leave listeners with a new perspective regarding tech in their daily lives.
Workshop - 4hrs
The Cyber Security Bootcamp is for the interested IT professional with a passion for cyber security as well as seasoned security experts who are looking to to get their hands dirty on various offensive and analysis tasks.
We will do:
- Reverse engineering of binary applications and proprietary network protocols with tools like radare2, objdump, strings, strace, tshark/wireshark and using malware sandboxes
- Attacking web-stacks build on ruby, php, sql-dbs, redis, nginx (websockets) by hand , supported with burp
- Write scripts in your preferred language (shell, python, perl, ...) in order to aid the offensive and analysis activities outlined above
- Every topic will be addressed with one or more short challenges/tasks. The trainer will provide brief introductions for each topic/task. Participants are encouraged to collaborate and the trainer will provide support, tips and tricks.
The ultimate goal is to have fun while learning and sharing knowledge.
Peter Bleksley was a founder member of Scotland Yard's undercover unit in the 1980s and part of the hit TV show "Hunted".
Join us for a very special talk.
Jamie Hankins @2sec4u - Kryptos Logic
"New talk who dis"
Wannacry & Threat Intelligence.