Track One
You voted, and here are the results:
Time: 10:15 - 11:15
Pentesting like a Grandmaster Abraham Aranguren - @7a_ Bio: After an infosec honour mark at university, from 2000 until 2007 Abraham's contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and vulnerability prevention at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security. In his spare time Abraham is the lead developer/architect of OWTF (http://owtf.org), an independent security consultant, a GIAC exam question writer and a security blogger (http://7-a.org). Abraham also holds a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+ Abstract: "Background: The Offensive (Web) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org. Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker. Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time. The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos. Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk." The presenter says... The level of difficulty of this talk is 4 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.
Time: 11:30 - 12:30
The evolution of Rootkits into the mobile ecosystems Rorie Hood - @1337hound Bio: 4th Year Ethical Hacking Student at the University of Abertay Dundee Founder and Honorary of Abertay's Ethical Hacking Society Passionate about Malware Development and low-level Exploitation Abstract: "Desktop Operating Systems have had to deal with malware for a long time now. Windows in particular has seen a huge amount of malware developed for it, however in comparison Linux has seen relatively little. This is down to the fact that Windows has majority share on Desktop computers, and that malware developers and generally motivated by money. As a result, Linux users, and previously to a large extend MAC users, have been spared. The development of smartphones has brought about an interesting twist, and in this market Android is the dominant platform; Android of course runs on top of a modified Linux Kernel. This begs the question; to what extent does Linux Kernel based malware (or variants of it) threaten Android devices? Assuming compromise, just how easy is it to run a Linux Kernel based Rootkit on an Android device? This talk looks at distinct areas to answer these questions; How Linux Rootkits are built, and how can the Kernel be subverted? Just how different from pure Linux is Android, and does this change the approach, or can we directly port? As Android grows in popularity, can we solve the Rootkit problem?" The presenter says... The level of difficulty of this talk is 4 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.
Time: 12:45 - 13:30
Defense by numbers: Making problems for script kiddies and scanner monkeys. Chris John Riley - @chrisjohnriley Bio: Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years’ experience in various aspects of Information Technology, Chris is now focused full-time on his true passion, Information Security. Chris is one of the founders of the PTES (Penetration Testing Execution Standard), regular conference attendee and avid blogger (blog.c22.cc). When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast. Abstract: "On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see. This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.
Time: 14:30 - 15:30
Make Cyber-Love, not Cyber-war Stephen Bonner - @stephenbonner Bio: Stephen Bonner is a Partner in the Information Protection team at KPMG where he leads a team focused on Financial Services. Before KPMG he was Group Head of Information Risk Management at Barclays. He was inducted into the InfoSec “Hall of Fame” in 2010 and was number 1 on the SC/ISC2 ‘Most Influential 2010’ list. Abstract: "As the second-highest-rated speaker last year, I'd like to think I could just write 'It's Stephen Bonner, vote for this talk and there will be chocolates and weird outfits' but I want to be the highest rated this year; so get ready for an extravaganza of Gaussian proportions as I reveal the past, present and future of cyber-war and what we can all do to protect and survive in the new code war." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This is a new talk and I'm sorry but can't be filmed (only for those attending).
Time: 15:45 - 16:45
32. Pen Test Automation - Helping you get to the pub on time Rory McCune - @raesene Bio: Rory has worked in Information Security for the past 12 years and focused on security testing for the last 7. He has held posts in several large UK financial services security teams, designing and delivering security testing services. He is currently a director at ScotSTS Limted, a Scottish IT provider of security testing and application security consultancy services. Rory holds the CREST Certified Application Testing consultant. He is the OWASP Scotland chapter leader and presents regularly on technical security topics including application development security and penetration testing. Abstract: "Time is always tight in Pen Test, there's a load of things to check and not enough time to check them, and then there's the delights of writing it all up for the report. If you want to get home (or to the pub) on time, getting good at automation is vital, from one line hacks to multi-hundred line scripts, some lines of code can go a long way. Tasks like parsing tool output and completing similar checks on large ranges of hosts are classic opportunities to save time and find important information quickly. This talk aims to look at how to approach some common test automation tasks and make scripts that'll stand the test of time." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.
Time: 17:00 - 18:00
5. Going Stealth: Staying off the Anti-Virus RADAR. Alex Polychronopoulos Bio: Alexios Polychronopoulos is a Software Security Consultant at Cigital. He holds a BSc in Computer Science and an MSc in Information Security, and has 4 years of security related working experience. Starting from penetration testing and research and development related to OS security and malware, Alex moved on to Software Security, spending most of his time doing security architecture reviews for a major financial institution. Abstract: "Anti-Virus software is often the first line of defence in host based intrusion prevention. For years both black-hats and ethical hackers have researched how to avoid detection - some to compromise hosts reliably and others to improve detection. Executable packers are a popular technique used by virus and malware writers. They "pack" their malicious payload by compressing and/or encrypting it and they distribute it with enough clear-text instructions to "unpack" it. In particular, we'll look at basic AV detection concepts and the basic design principles for packers. We'll also touch on advanced techniques like polymorphism and metamorphism. You'll leave marvelling that your AV ever catches anything at all." The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and I'm sorry but can't be filmed (only for those attending).