65
CfP results - Catalogue of talks submitted to be schedule on Tracks 1 & 2 Selection process: Electronic Voting by those register for the event Note: BSidesLondon13 has two tracks of schedule talks. All participants have the right to vote and select the top 10 talks they would like to see on the day. There are 63 talks in offer and we recommend you take the time to read through the abstracts. To make these easier we have printed 1 talk per page the page number equals the Talk Number. Talks have been sorted by level of difficulty and then by alphabetical order by name as entered on the form. All the details are as described by the presenters including difficulty level.

Talks submitted

Embed Size (px)

Citation preview

Page 1: Talks submitted

CfP results - Catalogue of talks submitted to be schedule on Tracks 1 & 2

Selection process: Electronic Voting by those register for the event

Note: BSidesLondon13 has two tracks of schedule talks. All participants have the right to vote and select the top 10 talks they would like to see on the day. There are 63 talks in offer and we recommend you take the time to read through the abstracts. To make these easier we have printed 1 talk per page the page number equals the Talk Number. Talks have been sorted by level of difficulty and then by alphabetical order by name as entered on the form. All the details are as described by the presenters including difficulty level.

Page 2: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.1

Fun Boy Three: It Ain't What You Do It's The Way That You Do It! By Bruce Hallas (@brucehallas)

Abstract: Why, with so much at stake, have measures to protect information assets and systems failed to generate popular momentum or support? Why do security professionals struggle to be heard and subsequently, empowered, to address these risks? Why do many of those outside of the information security domain remain indifferent, uninterested or even resistant? Our prognosis is simple. The single largest barrier, to the adoption of effective practices, to secure sovereign states, businesses and citizens, against the threats from cybercrime and cyber-incompetence, is the effectiveness of communication between those responsible for information security and their audiences. On one side of that barrier is a chasm of unintelligibility, and on the other a chasm of indifference and lack of interest. The information security professional needs to step outside of their natural domain and think like a communications professional. Starting with “What might my target audience be interested in? Because it sure isn’t information security”.

About the presenter: Bruce Hallas Bruce is the creator and founder of The Analogies Project and the owner and principle consultant at Marmalade Box Ltd. For 12 years he has advised widely on the impact of information security risks to cash flow, profitability, personal and organisational reputations, economic and social prosperity. He puts down his success in information security to story telling, facts, figures, metaphors and delivering against expectations. Bruce’s formal training was in law, finance and marketing. This, combined with experience in business development and resource management, led him to develop an information and people centric approach to security where achieving acceptable levels of risk, and not 100% security, was his objective. This was the principle upon which he built an information security practice at one of the UK’s largest IT resellers, ISC Networks, in 1999. He has a strong interest in public policy and the risk, and opportunities, that information security introduces to economic and social prosperity. His public policy work includes the development of IRISS, (Integrated Regional Information Security Strategy), the fore runner of what are now known as the UK’s Regional CyberSecurity Strategies, the role of transparency in security best practice, strengthening of security certification standards and influencing cultural attitudes towards security. Whenever possible, Bruce enjoy’s presenting on the implications of information security to as varied an audience as possible. He’s presented to marketing, communications, nanotechnology, bio-tech, economic policy, digital &social media, academic and finance audiences as well as those within information security. He likes to draw parallels between events happening around us, and information security, and raise awareness of these through Twitter, his blog and now his most ambitious effort to date, The Analogies Project. Company: The Analogies Project Website: theanalogiesproject.org

The presenter says... The level of difficulty of this talk is 4 and I consider it is suitable for Business. This talk has been presented at other conferences and it can be filmed and released.

Page 3: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.2

Change Happens: this is going to hurt. By Christian Toon (@christiantoon)

Abstract: “It is not the strongest species that survive, nor the most intelligent, but the ones most responsive to change.” Charles Darwin Information security and management is changing rapidly, but have we?

• What are the trends that are driving change in the way companies manage and use information?

• Why don’t companies want to know? • What is the cost of inaction? • What is the opportunity to lead the way? • How can we make a difference?

In a time of smart phones, smart cars and smart meters, are we missing a smart workforce? Most data breaches are caused by people rather than technological failure. Our people and the technology created to protect them and our businesses are in constant conflict. Do we need to go further and secure people’s behaviour? When is too much security a problem rather than a solution? Is it our people who are letting us down by playing with IT, or is it us who are failing to get the message across. Change is often hard but staying the same will be even harder. What do we as a profession need to do differently? We secure the information but now we need to securely manage the people.

About the presenter: Christian Toon Information Risk and Security Pragmatist @ Iron Mountain International, aspiring glove model and closet geek. 6 Years in Information Security and Management, 10 years collectively in managing risk. A seeker of truth and protection and determined to bring information security responsibilities to the masses. Company: Iron Mountain Website: https://www.linkedin.com/in/christiantoon

The presenter says... The level of difficulty of this talk is 4 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 4: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.3

The evolution of Rootkits into the mobile ecosystem By Rorie Hood (@1337hound)

Abstract: Desktop Operating Systems have had to deal with malware for a long time now. Windows in particular has seen a huge amount of malware developed for it, however in comparison Linux has seen relatively little. This is down to the fact that Windows has majority share on Desktop computers, and that malware developers and generally motivated by money. As a result, Linux users, and previously to a large extend MAC users, have been spared. The development of smartphones has brought about an interesting twist, and in this market Android is the dominant platform; Android of course runs on top of a modified Linux Kernel. This begs the question; to what extent does Linux Kernel based malware (or variants of it) threaten Android devices? Assuming compromise, just how easy is it to run a Linux Kernel based Rootkit on an Android device? This talk looks at distinct areas to answer these questions; How Linux Rootkits are built, and how can the Kernel be subverted? Just how different from pure Linux is Android, and does this change the approach, or can we directly port? As Android grows in popularity, can we solve the Rootkit problem?

About the presenter: Rorie Hood 4th Year Ethical Hacking Student at the University of Abertay Dundee Founder and Honorary of Abertay's Ethical Hacking Society Passionate about Malware Development and low-level Exploitation

The presenter says... The level of difficulty of this talk is 4 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and release

Page 5: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.4

Pentesting like a Grandmaster By Abraham Aranguren (@7a_)

Abstract: Background: The Offensive (Web) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org. Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker. Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time. The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will be highly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos. Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after?. Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after this attending talk.

About the presenter: Abraham Aranguren After an infosec honour mark at university, from 2000 until 2007 Abraham's contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and vulnerability prevention at the design level as an application and framework architect. From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security. In his spare time Abraham is the lead developer/architect of OWTF (http://owtf.org), an independent security consultant, a GIAC exam question writer and a security blogger (http://7-a.org). Abraham also holds a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+ Company: Cure53 Website: http://cure53.de/

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 6: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.5

Going Stealth: Staying off the Anti-Virus RADAR By Alex Polychronopoulos

Abstract: Anti-Virus software is often the first line of defence in host based intrusion prevention. For years both black-hats and ethical hackers have researched how to avoid detection—some to compromise hosts reliably and others to improve detection. Executable packers are a popular technique used by virus and malware writers. They “pack” their malicious payload by compressing and/or encrypting it and they distribute it with enough clear-text instructions to “unpack” it. In particular, we’ll look at basic AV detection concepts and the basic design principles for packers. We’ll also touch on advanced techniques like polymorphism and metamorphism. You’ll leave marvelling that your AV ever catches anything at all.

About the presenter: Alex Polychronopoulos Alexios Polychronopoulos is a Software Security Consultant at Cigital. He holds a BSc in Computer Science and an MSc in Information Security, and has 4 years of security related working experience. Starting from penetration testing and research and development related to OS security and malware, Alex moved on to Software Security, spending most of his time doing security architecture reviews for a major financial institution.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and I’m sorry but can’t be filmed (only for those attending)

Page 7: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.6

Pentesting iOS Apps – Runtime Analysis and Manipulation By Andreas Kurtz (@aykay)

Abstract: Security testing of mobile apps and their environment has become increasingly important in recent years. However, there is still a lack of testing methodologies and supporting tools. Accordingly, the objective of this presentation is to close that gap. As in any kind of software security assessment two different approaches do exist: Static and dynamic analysis. While static analysis gives detailed insights into a mobile app, it is not always the most practicable way. To evaluate the security level of a mobile app within an economically reasonable timeframe, it is worthwhile to combine both, static and dynamic analysis. During this talk, I will explain the basic concepts of Objective-C and its runtime. Objective-C supports the concepts of reflection, also known as introspection. This describes the ability to examine and modify the structure and behavior (specifically the values, meta-data, properties and functions) of an object at runtime. Based on this dynamic nature of the Objective-C runtime I will show how runtime analysis and manipulation eases security assessments of mobile apps. For this purpose, I will discuss the backgrounds, techniques, problems and solutions to Objective-C runtime analysis and manipulation. I will demonstrate, how running applications can be extended with additional debugging and runtime tracing capabilities, and how this facilitates both, dynamic and static analysis of Apple iOS apps. Moreover, a new tool to assist dynamic analysis and security assessments of iOS Apps will be introduced and demonstrated. This tool allows on-the-fly manipulations of arbitrary iOS Apps with an easy-to-use graphical user interface. Thus, bypassing client-side restrictions or unlocking additional features and premium content of Apps is going to be a child’s play. Altogether, by using the tools and techniques provided during this talk, pentesters will be able to explore the attack surface of mobile applications more efficiently, while developers of mobile apps might prefer to avoid client-side logic and security measures in the future.

About the presenter: Andreas Kurtz Andreas Kurtz is co-founder of NESO Security Labs, an independent information security consulting and research company based in Germany. He has several years of professional experience in conducting penetration tests for large-scale enterprises, corporations and public authorities as well as in giving trainings, presentations and workshops. Within the scope of his research activities for the chair of IT Security Infrastructures at the Friedrich-Alexander-University Erlangen-Nuremberg in Germany, he focuses on the security of mobile devices and mobile applications. Company: NESO Security Labs / University of Erlangen-Nuremberg Website:

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 8: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.7

(Impress Your Boss and Get Promoted by) Building InfoSec Metrics From Security Logs By Anton Goncharov (@meta_net)

Abstract: Information security metrics and KPI/KRI reports are a mystical area of expertise from the realm of highly paid consulting firms. It is also an area of a frequent fail for security software vendors and consultants alike. We discuss how security analysts with access to system and security logs can easily build metrics which are relevant, actionable, and rich with business context. This talk is full of practical tips and suggestions based on our experience delivering such metrics to the customers of all shapes and sizes. We will step through the process of selecting, extracting, and visually presenting the metrics in a simple and straightforward way which is certain to provide high value to your organization.

About the presenter: Anton Goncharov InfoSec, log management and security event management geek who likes to talk to business about security, compliance, and visibility. Company: MetaNet IVS Website: http://metanetivs.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business. This talk has been presented at other conferences and it can be filmed and release.

Page 9: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.8

Dissecting Targeted Attacks – Separating Myths from Facts By Candid Wueest

Abstract: A lot of media do report on targeted attacks or so called APTs, but how sophisticated or those attacks really? Flamer & co. are only the tip of the iceberg and even they had flaws. Most of the attacks are not so smart at all, but nevertheless successful. I will elaborate on the common methods of targeted infection & exfiltration, happening every day around the globe. Explaining the methods and tools used by the attackers with real life examples. I will show why they successfully bypass most security tools and analyse where these attacks differ from the common malware flood.

About the presenter: Candid Wueest Candid Wüest holds a master of computer science from the Swiss Federal Institute of Technology (ETH) and various other certifications. When the sun is shining he works for Symantec's global security response team, where he has been going far beyond anti virus signatures during the last ten years. He researches new threat vectors, analyses trends and formulates new mitigation strategies. He has published various articles and appeared in magazines and TV shows. He is a frequent speaker at conferences like VB & RSA and of of the organizers of hashdays. He learned coding and the English language on a Commodore 64. Company: (Symantec)

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 10: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.9

Defense by numbers: Making problems for script kiddies and scanner monkeys By Chris John Riley (@chrisjohnriley)

Abstract: On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see. This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites. -- Note -- As this research is ongoing a 1/2 slot would be preferable to ensure the content is to the point and communicated most effectively to the audience.

About the presenter: Chris John Riley Chris John Riley is a senior penetration tester and part-time security researcher working in the Austrian financial sector. With over 15 years’ experience in various aspects of Information Technology, Chris is now focused full-time on his true passion, Information Security. Chris is one of the founders of the PTES (Penetration Testing Execution Standard), regular conference attendee and avid blogger (blog.c22.cc). When not working to break one technology or another, Chris enjoys long walks in the woods, candle light dinners and talking far too much on the Eurotrash Security podcast. Website: http://blog.c22.cc

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 11: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.10

What can Social Engineers learn from Psychics By Dale Pearson (@subliminalhack)

Abstract: This is research currently underway (I hope there is something to learn) Failing that I have a backup talk I am putting together on SE Approach to Phishing. Abstract below: Social Engineering involves the influence and manipulation of people via various methods and communication channels. To be successful at this it is important to build rapport with your targets rapidly, or at a minimum have some form of implied trust. In my opinion the practitioners of the Psychic industry do a stand up job of manipulating individuals at a very personal level, and they achieve this on a very strong often heart felt level with the use of cold reading, and other methods allowing them to appear to fail safe. In this talk we will look at these techniques, and how we can possible utilise this information to be more effective Social Engineers.

About the presenter: Dale Pearson Dale Pearson is passionate Information Security Professional who has been working in Information Security since 2004 , and IT Industry in 1998. He has been exposed to and works in a wide range of security areas, such as security and risk consulting, policy and compliance, penetration testing, social engineering, forensics, incident response, and awareness training. Dale is the founder of subliminalhacking.net where he blogs about social engineering, hypnosis, and other skills to improve success as a social engineer. He is also one of the hosts of the Eurotrash Security Podcast. Website: www.subliminalhacking.net

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 12: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.11

Bypassing Akamai By Darren McDonald

Abstract: Akamai offer a content caching solution used by many of the internet's biggest web sites. Akamai also markets their solution as a layer of defense against Denial of Service and Web Application vulnerabilities. However, the Akamai network has a number of limitations which can allow the protection it offers to be bypassed. This talk will cover:

A basic overview of how Akamai works

Limitations of Akamai

Identifying hosts using Akamai

Bypassing Akamai Caching, Web Application Firewall, and Rate-limiting rules

Bypassing Akamai Entirely

Debugging Akamai In effective a step by step walk-through of how a tester or attacker might bypass many of the defenses Akamai offers its clients, exposing high profile web applications to denial of service and common web application attacks. This talk is aimed at penetration testers and developers and administrators of applications using Akamai. A basic understanding of DNS, Web Applications, and HTTP is required to get the most out of this talk.

About the presenter: Darren McDonald CHECK Team Leader and has been professional penetration tester for five years. Company: NCC Group Website: http://www.nccgroup.com/

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 13: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.12

Cross Dressing and Mobile Web By Dave Hartley (@nmonkee)

Abstract: The explosion of mobile platforms and devices has created an unprecedented level of fragmentation in the application market. Because of this, the development, testing and distribution of an application for multiple platform/device combinations can be prohibitively expensive. Often this can require multiple development teams (Java/C#/Objective-C) and for security conscious organisations, multiple security assessments. Cross-platform development frameworks offer a solution to these issues. The frameworks are cross-browser compatible, support multiple languages such as JSON, YQL, WAML, JavaScript libraries, Jquery UI elements and HTML5 CSS3 etc. giving the developer the freedom to create mobile applications for iOS, Android, Blackberry, Windows Phone, and others by developing the application only once in common languages (HTML, CSS and Javascript). Additionally many cross-platform frameworks offer a myriad of API's allowing interaction with the devices capabilities; such as low level network access, file system interaction as well as access to camera and microphone functionality etc. Cross-platform frameworks are beginning to look like the panacea to many developers and business woes; however there may well be a sting in the tail. The cross-platform frameworks can introduce an attack surface that would not necessarily be present in a native application. This talk aims to introduce the security considerations that developers, businesses and security consultants assessing mobile applications should be aware of and should serve as a cautionary tale to those looking to embrace this development approach. The results of the attack surface analysis will be presented and a tool set that is capable of detecting, enumerating and exploiting these weaknesses will be demonstrated.

About the presenter: Dave Hartley Dave is a Principal Security Consultant for MWR InfoSecurity operating as a CHECK and CREST Certified Consultant (Application and Infrastructure). MWR InfoSecurity supply services which support their clients in identifying, managing and mitigating their Information Security risks. Dave has performed a wide range of security assessments and provided a myriad of consultancy services for clients in a number of different sectors, including financial institutions, entertainment, media, telecommunications, software development companies and government organisations worldwide. Dave also sits on the CREST assessors’ and NBISE advisory panels, where he invigilates examinations and collaboratively develops new CREST examination modules. CREST is a standards-based organisation for penetration test suppliers incorporating a best practice technical certification programme for individual consultants. Dave has also been actively engaged in creating a US centric examination process in conjunction with NBISE. Dave has been working in the IT Industry since 1998 and his experience includes a range of IT Security fields and disciplines. Dave is a published author and regular contributor to many information security periodicals and is also the author of the Bobcat SQL injection exploitation tool and several SAP metasploit modules. Company: MWR Website: labs.mwrinfosecurity.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 14: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.13

The Realex Payments Application Security story, narrated by Security Ninja By David Rook (@securityninja)

Abstract: As the old British Telecom adverts used to say it’s good to talk so I thought now was a good time to talk about how we do application security at Realex Payments. Rather than just talk about where we are today this talk will focus on the lessons learned over the past five years and what I'd do differently if I could it all again. I will tell the story of how application security has worked and evolved in a fast growing technology company from the day we created our first application security role in the business to our current application security approach. The story will include how we scaled application security to keep up with the changes in a fast growing business, how playing card games with developers was one of the best things we've ever done and how following the KISS principle in the early days of an application security program is vital. You will see how we have progressed from having no dedicated application security resources to our current staffing levels and how our goals have evolved from simply security reviewing our applications to more grand goals such as wanting to provide free application security training for anyone in Ireland. This isn't an application security talk focusing on the theory and approaches that seem good on paper. You will have the opportunity to learn the lessons from five years of real world application security from the person who was at the centre of application security in Realex Payments. Following on from the success of Agnitio I will be releasing three new open source application security tools I have developed in this talk. These tools have helped improve application security reviews, reporting and visibility in Realex and I hope they will do the same for you! The Ninja News Daily said "5 stars! The Realex Payments Application Security story is a gripping story of one ninjas journey through five years of application security. Do not miss!"

About the presenter: David Rook David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja. The Security Ninja blog has been nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. David received a Developer Security MVP award from Microsoft in 2011 and 2012 as well as the SC Magazine Europe 2012 Rising Star award. David strives to practice what he preaches and has backed up his work experience by developing two open source security code review tools called Agnitio and the Windows Phone App Analyser. Company: Realex Payments Website: http://www.securityninja.co.uk/

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 15: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.14

Defending the Mobile Realm By Dominic Chell (@deadbeefuk / @MDSeclabs)

Abstract: At almost every security conference, you will find a talk about mobile or mobile app security. But out of all those talks, how many are specifically focused on defence? The answer is very few, if any. So what happens when you have a mobile app that handles highly sensitive information, how do we protect against the risks that everyone is talking about? This talk will discuss how we can embed defensive strategies in to mobile apps, specifically to complicate reverse engineering, binary modification, debugging and run-time tampering as well as demonstrate some proof on concepts developed by MDSec.

About the presenter: Dominic Chell Dominic is one of the founding directors of MDSec, a UK based security consultancy. Dominic specialises in mobile security having released whitepapers, tools and presentations in this area, in addition to being listed as a subject matter expert for a secure iOS development examination being run in the US. As a researcher, he has released advisories and developed exploits for a number of major software vendors, including Microsoft, Apple, Mozilla, Oracle and Real. Company: MDSec Website: http://www.mdsec.co.uk

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 16: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.15

I'm the the guy your CSO is STILL warning you about! By Gavin 'Jac0byterebel' Ewan (@jac0byterebel)

Abstract: 'I’m the Guy your CSO warned you about' was not your typical social engineering talk. Out went the snake oil sale of analysing the minutia of pop psychology and trying to squeeze out real answers to the questions asked during a real social engineering attack. In came a hard hitting account of a social engineering attack drawn from real sources but anonymised to protect the pwned. Deano, our 'hypothetical' bad-guy hacked and social engineered his way to cash in his pocket and no cash in your pocket, but the despite the warnings, y'all didn't listen enough. This talk will see our hypothetical bad guy, Deano, up the stakes and deliver the kind of aggressive attack you have all lived in fear of. No longer a phone call to get your credentials, or a rogue e-mail to direct you to a fake website, this time its personal and Deano is looking to do you REAL damage. Still drawing on real data from anonymised sources, from the account given of this attack, attendees of the talk will see that a real social engineer doesn’t once pick up a psychology textbook. Deano will instead pose you a question - "What if Joe Bloggs on the street had access to the kind of skills and instructions to destroy all my data?". Live in fear of Hactivism? You won't sleep at night after meeting Deano this time. If you want an hour of being told that ‘looking to the right makes you easier to social engineer’, go to another talk. If you want to see how the real bad guy operates, and talk about how to defend against him, then I look forward to seeing you there.

About the presenter: Gavin 'Jac0byterebel' Ewan Gavin 'Jac0byterebel' Ewan is a ranty, shouty, sweary Scottish hacker. After selling lots of things to lots of people, he decided to get firmly into the field of information security, always having been a geek at heart. Having taken his education and training in psychology, particularly sales psychology into the field of social engineering, he is now re-writing the social engineering rulebook and chasing out the snake-oil salesmen. Already a successful speaker, Gavin has delivered talks on social engineering worldwide to various audiences.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 17: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.16

I know what you're doing next summer By Gavin 'Jac0byterebel' Ewan (@jac0byterebel)

Abstract: First things first. This is not a talk on human psychology. Not once will I gaze lovingly into your eyes and tell you what you had for breakfast. The question this talk seeks to answer is this - "What if the bad guy could tell you your next password before you choose it?" You want 'Advanced Persistent Threats'? Well, this talk will threaten you till the end of time, all without once being particularly 'advanced'. Seems impossible? In this talk attendees while learn why the traditional password as we know it needs to die, once and for all. No password policy is good enough, they are all broken in exactly the same way. Using techniques that look well beyond the traditional 'password' grab, attendees will learn why losing your current password to the malicious hacker is the very least of your worries, and how your organisation's password policy makes future password prediction very easy, at a computer level. This talk will explore the anatomy of the password as we know it and why the methods we commonly use to build a 'perfect' password are inherently flawed, to the point that they can be exploited to make prediction of future passwords possible. The next time you are changing your password, ask yourself a couple of questions. Does the bad guy already know what I am going to type? Was that last attack just to get me to change my password to one that can be predicted? Scary thought? Come along to the talk and we'll see what we can do to make it all better for you. See you there!

About the presenter: Gavin 'Jac0byterebel' Ewan Gavin 'Jac0byterebel' Ewan is a ranty, shouty, sweary, Scottish hacker. Brought up on a diet of haggis, neaps, tatties and sales, Gavin cut a swathe through the world of financial sales before charging head first into infosec. Degree educated in Psychology and Economics, Gavin brings an entirely different viewpoint to the security world and oh, did I mention he does technical stuff too? Currently researching bridging the gap between the traditional 'social engineer' and the technical hacker, Gavin has spoken worldwide on social engineering and open source intelligence gathering.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 18: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.17

The Reality of Redis By Graham Sutherland (@gsuberland)

Abstract: Redis is an open-source key-value storage (NoSQL) engine used by some big names: github, StackExchange, Disqus, flickr, Blizzard, just to name a few. It is capable of storing a huge amount of data, and is optimised for simplicity and speed. What seems to be missing, within the community, is a proper analysis of the potential security impact of a compromised Redis instance. This talk aims to demonstrate just how easy it is to find open Redis instances, and how they can be used to exfiltrate data or gain further access to a system. It covers everything you need to know from a pentesting perspective, from the basics of the Redis protocol to attacks that can unleash some serious pwnage. I'll also be revealing some real-life examples of exposed systems.

About the presenter: Graham Sutherland Software developer by day, security researcher by night. One-man army against bad security practice. Tinkerer in all things hardware and software. I've only been involved in the security conference scene for a short while, but I hope to bring new and interesting things from the world of code monkeys. I spend a lot of time engaging with the community, mainly on Twitter and the IT Security StackExchange website.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 19: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.18

The Present and Future of SSL/TLS and Browser PKI By Ivan Ristic (ivanristic)

Abstract: The last few years have been tough on SSL/TLS and browser PKI, but the ecosystem is bouncing back with technical and organisational improvements, new protocols, and new standards. With these changes, we are now actually able to deliver reasonable levels of communication channel security. In fact, the main problem now seems to be navigating the large number of standards to understand where they can be used and how. In this presentation I will present the most important improvements, such as HTTP Strict Transport Security, Content Security Policy, Public Key Pinning, TACK, DANE (DNSSEC) and others.

About the presenter: Ivan Ristic Ivan Ristić is a respected security expert and author, known especially for his contribution to the web application firewall field and the development of ModSecurity, the open source web application firewall. He is also the author of Apache Security, a comprehensive security guide for the Apache web server, and ModSecurity Handbook. He founded SSL Labs, a research effort focused on the analysis of the real-life usage of SSL and the related technologies. A frequent speaker at computer security conferences, Ivan is a member of the Open Web Application Security Project (OWASP), and an officer of the Web Application Security Consortium (WASC). He is a Director of Engineering at Qualys, where he is in charge of the WAF product line. Company: Qualys Website: http://blog.ivanristic.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 20: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.19

DDoS Network Hardening By Jay Coley

Abstract: This presentation will be centred around local steps and best practices to prevent or reduce the damage caused by DDoS attacks. This will included.

• Network Edge Architecture • DDoS mitigation appliances • ISP involvement • Configuration best practices • DDoS response best practices

About the presenter: Jay Coley Jay Coley has more than 20 years Network Engineering and IT experience in both the military and commercial high-tech companies. Jay joined Prolexic in 2006 and has held senior positions in Network Engineering, Pre-Sales and Solutions Architecture. Prior to Prolexic, Jay worked for NTT and XchangePoint as an IP backbone network engineer. In the past he has also held leadership positions in the US Military and holds several industry recognized engineering certifications. In addition Jay also holds a Bachelor of Science (HONS) degree in Computing and Information Technology and a British Computing Society Diploma from the Open University, United Kingdom. Company: Prolexic Technologies Website: www.prolexic.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and I’m sorry but can’t be filmed (only for those attending).

Page 21: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.20

Why Information Integrity is left alone and not given TLC (Tender, Love & Care) it deserves? By Jitender Arora (@jee2uu)

Abstract: The core principles of Information security are Confidentiality, Integrity and Availability (known as the CIA triad). There is always a debate over the priority order of confidentiality, availability, or integrity. Which one is more important than the other? If we ask this question to a typical security consultant the answer we often get is “Well, it depends. It is not possible to blindly say which is more important”. However, we often find businesses make significant investment in ensuring Confidentiality (Encryption controls to secure data in transit and/or data in storage) and Availability (Disaster Recovery Environment) of their information. Business processes rely on accuracy of data to take critical and key business decisions but still it is considered adequate to protect confidentiality and availability of business sensitive data. How can we ensure Integrity of data that is used in BI and Data Warehouse tools to make business critical decisions? In this workshop, we will discuss importance of Information Integrity controls with some real life use cases, discuss options to establish priority order of confidentiality, availability, or integrity and pragmatic control options to protect Information Integrity.

About the presenter: Jitender Arora Mr. Arora is an Interim Executive responsible for leading security transformation programmes to drive information security maturity. In his last assignment, he served as Interim CISO for a leading UK financial institution and was responsible for managing and delivering on Information Security and Risk Management aspects for the new online bank. He has 13+ years of experience in Information Security and Risk Management working within Financial Services, Manufacturing, Logistics, Technology and R&D. In his previous roles, he has been responsible for defining and executing information security strategy for the respective business areas that included conducting strategic review of the security function to assess their maturity, preparing business cases to secure funding for security improvement programmes to address identified gaps, presenting business cases, negotiating with senior stakeholders and managing these improvement programmes. Website: https://www.linkedin.com/in/jarora

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 22: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.21

Savage tales of victory and defeat in the CFO’s throne room: an illustrated guide to rethinking security strategy from a business perspective By Jon Hawes (@jonhawesuk)

Abstract: Lock up your buzzwords; save the techies and PCI managers first! This talk is based on over 6 months of research that has focused on how security can achieve the most challenging hack of all: delivering effective and cost-efficient reductions in risk to protect what matters most to the business. Based on frank, off-the-record interviews with security leaders in some of the world’s largest companies, this illustrated guide explores the often savage (but rarely talked-about-in-public) truths that surround the business of managing security risk and delivering value for money. Aided by nothing but a few hand puppets and lots of pictures involving Lego, this talk will use stories provided by those who have swum in the shark infested waters of ‘c-level’ and been kind enough to share not only their successes, but also their failures, (as well as being brutally honest about the lies they’ve sometimes told themselves). Presentation highlights:

• Take in the view from the CFO’s throne room, with a contextual model for rethinking security risk management in view of what matters most to the business

• Lessons learned by security leaders as they have traversed the lifecycle of winning buy-in, securing investment, spending the money and reporting back to those who hold the purse strings

• A number of innovative approaches to strategy that are being used in highly complex environments to gain maximum reduction in business risk with minimum investment, (complete with case study examples on network, application and data security)

• Some answers to two of the hardest questions the board can ask you about information security management: “What does ‘good’ look like?” and “Are *we* good?”

About the presenter: Jon Hawes Jon has spent 6+ years engaging with CISOs and senior stakeholders within industry, government and intelligence agencies, who are responsible for information security and risk management. His research focuses on the how organisations are managing strategic, operational and technical security challenges in order to meet enterprise requirements in a changing business, technology, compliance and threat environment.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and I’m sorry but can’t be filmed (only for those attending).

Page 23: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.22

Garbage In, Garbage Out, Understanding SIEM's Weak Spot By Jonathan Katz (@katzmandu)

Abstract: SIEMs have become almost as ubiquitous as firewalls and IDS installations at most major enterprises. The problem is that a SIEM is only as good as the information which it receives. Most enterprises take their SIEM for granted, and treat it as a system of record. The records within a SIEM are used for investigations and to prove compliance with various standards and goals. Many SIEMs still receive their messages via UDP Syslog, a 30 year old attack vector. This vector can be come an Achilles heel for any SIEM installation, as well-crafted messages can make their way into the SIEM and be treated as legitimate even if rogue. Device types thought to have a secure communications pipeline can be easily spoofed.

About the presenter: Jonathan Katz Jonathan Katz is a reformed Solaris administrator turned infosec SIEM guy. As Managed Services Lead at MetaNet IVS he's responsible for the remote maintenance and management of many instances of HP's ArcSight SIEM and insuring that the same product can work for many different types of customers. Company: MetaNet IVS Website: http://www.metanetivs.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 24: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.23

Coaching Security By Kai Roer (@kairoer)

Abstract: This is more of a training, based on a full day workshop of training people to communicate security, risk and requirements using coaching techniques. Security is easy for the geeks, yet so many geeks seem unable to successfully help users understand how to deal with security. This session will teach you a few easy-to-learn, easy-to-use techniques which will enhance your communication skills to a level where (most) people will be able to relate to you and the topic.

About the presenter: Kai Roer Kai Roer is an information security practitioner with a special skill with people. He shares tips on communication, trust and security through his books, blogs, trainings and speaking engagement around the world. Company: The Roer Group Website: http://roer.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 25: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.24

HTML5: attack and defense By Ksenia Dmitrieva

Abstract: With the emergence of HTML5 web applications become more interactive and responsive. Using Web Workers for multithreading and Web SQL for storing data on the client side, HTML5 applications start to resemble desktop applications. But what new attack opportunities do the new technologies bring? How can we exploit Cross-Origin Resource Sharing, Web Messaging, Web Storage and iframe sandboxing? And how do we write secure code that is resilient to these attacks? Several common vulnerabilities will be presented during this talk together with the code examples of how to do things right.

About the presenter: Ksenia Dmitrieva Ksenia Dmitrieva is a Security Consultant with Cigital, Inc. and has several years of experience developing and securing web applications. Ksenia holds a Master of Computer Science degree from George Washington University. As a consultant, her customers include Bank of America, Morgan Stanley, IBM, EA and Sony, where she was performing penetration testing and code reviewing, focusing on web applications, web services and new web frameworks. Ksenia’s current concentration is on studying new web technologies, their security implications, vulnerabilities and how these could be discovered and remediated. Company: Cigital

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 26: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.25

Built with you in Mind By Lawrence Munro (@pentesticles)

Abstract: A discussion of hardening techniques and code samples that can be used to confuse, delay, deter those awful malcontents who would wish to subvert your Web Application Security. I discuss the research that we at Pentesticles have been doing around manipulating the Application and Web Server Data that is returned to users (attackers) by Apache and the various techniques we have devised to defeat enumeration techniques and tools that are commonly used. We aim to turn the tables and confuse the crap out of Skiddies and low-skilled attackers and delay or deter the guys who know what they're doing. Yoink!

About the presenter: Lawrence Munro Penetration Tester and Head of Consulting Service for Nebulas, Lawrence has worked in IT for over 8 years for the likes of HP and smaller boutique consultancies. Key interests include Apache hardening, Web Application Testing (especially ASP.NET), Social Engineering and general breaking of stuff and things. He's the founder and co-author of Pentesticles.com and owner of Hackarmoury.com. Company: Nebulas Website: www.pentesticles.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 27: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.26

From Zero to Hero - Twenty years of Windows Security By Marion McCune (@MarionMcCune)

Abstract: The fact that Windows Security has greatly changed over the last 20 years will come as a surprise to two major groups; those long timers who still regard Microsoft as the anti-security bogey man, and those people too young to remember the ‘bad old days’. The truth is that Microsoft have come a long way in the field of OS Security, and secure development practice as a whole, and have in fact moved from being the butt of many jokes on the subject to actually being one of the most responsive and security focused vendors. This talk briefly covers the history of Windows Security from the days of Nimda and Code Red, to Gates’ TWC Memo and the development of the Microsoft SDL. The bulk of the material will relate to the security features of the newly released Windows Server 2012 (Dynamic Access Control, password policy, DNS/DHCP improvements, encryption, Secure Boot etc. etc.). The talk will end with a comparison of where we are now just following the release of Server 2012, compared with the situation at the low ebb of MS’s security fortunes in 2000.

About the presenter: Marion McCune Abandoned my career in corporate IT after 17 years to form a Penetration Testing company with my husband two years ago. I specialize in Web Application testing and Microsoft technologies in general, together with Lotus Domino and BES. Company: ScotSTS Ltd Website: www.scotsts.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 28: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.27

Everything Old is New Again By Michael Kemp (@clappymonkey)

Abstract: A lot of talks focus on the latest technologies and emerging attacks. It's understandable. If as a researcher you find 0day in this months latest hot technology you are almost certainly getting press coverage, which means either your salary / day rate is increasing, or you are getting a better job. Sadly, so called 'legacy' technology is often ignored (it certainly isn't mentioned much in most talks or books). Organisations that provide critical infrastucture do not ignore legacy technology, and neither should any penetration tester that claims to know their craft. This talk will look at some of the more often ignored legacy systems, and how to assess them without knocking over huge chunks of an internal estate. Topics covered will include, AS400, why RFI still works, VMS, PBX, X.25, SCADA PLCs, how to avoid looking retarded in the press, and all manner of 'old' stuff you can find deployed in the real world. There will be no *significant* 0day (although the author does have some juicy details on SCADA systems and PLCs), but attendees will hopefully come away fired up and wanting to play with some old school tech.

About the presenter: Michael Kemp Michael is an experienced security consultant, with a specialisation in the penetration testing of web applications and the testing of compiled code bases and DB environments to destruction. As well as the day job, Michael has been published in a range of journals and magazines, including heise, Network Security, Inform IT and Security Focus. To date, Michael has worked for NGS Software, CSC (Computer Sciences Corporation), British Telecom, and a host of freelance clients throughout the globe. Presently, Mike is working in a day job for Xiphos Research Labs (which he really has no choice in as he set it up). When not breaking things, Michael enjoys loud music, bad movies, weird books and writing about himself in the third person. Mike has previously presented at security conferences in Jakarta, Mumbai, Hawaii, New York, Los Angeles, Warsaw, Prague, Holland, Athens, Zagreb, Krakow, Quebec, and London (on subjects as diverse as virtualisation, malware, and why the government sucks), and is always keen to embarass himself in new and exotic locales. He is often drunk, frequently swears heavily, and usually disappointed with the way the security 'industry' is going. Company: Xiphos Research Website: www.xiphosresearch.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 29: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.28

JavaScript Security and HTML5 By Mike Shema (@CodexWebSecurum)

Abstract: Modern web apps that leverage HTML5 APIs rely heavily on JavaScript. But the mixture of JavaScript, poor programming, and insecure server-side code makes the web an Orwellian place where "JavaScript is Harmless". HTML5 introduces security controls like sandboxes, Cross Origin Resource Sharing (CORS) and Content Security Policy (CSP). Each of these contribute to a more secure browsing experience, but only if implemented properly -- and only against the flaws they were designed to mitigate. If you've been confused whether HTML5 improves security or not, this presentation will clarify what to expect from web apps. It lists the steps necessary to improve your site's JavaScript and prepare it for a smooth transition to better security with CSP, with demonstrations on why the effort to refactor your code is worth taking. It covers the risks and benefits associated with other HTML5 APIs and how they impact the user agent and user's privacy. Finally, it highlights areas where browser security still lags, and offers some suggestions for new techniques to improve browser security against more than just XSS.

About the presenter: Mike Shema Mike Shema writes software to test the security of web sites. When not writing in C++ he turns to books and blog posts to share his knowledge of information security, from network penetration testing to wireless hacking to secure programming. (And includes a generous helping of music, sci-fi, and horror references to keep the topics entertaining.) He has taught hacking classes and presented research at security conferences around the world. Company: Qualys Website: http://deadliestwebattacks.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 30: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.29

Cyber Security as a tool for Business Transformation By Oscar O'Connor (@oscarpjoconnor)

Abstract: All too often, we hear practitioners complain of a lack of understanding from budget holders of the need to introduce robust cyber security controls into their business processes. This talk addresses the reasons this might be the case and introduces an approach to making the business case which focuses on process improvement, resilience and performance rather than the prevention of negative "stuff". In the speaker's opinion, organisational leaders are more aware, at least at the conceptual level, of the risks which affect them, including cyber security risks. What they have, which specialist practitioners in any field lack, is a view of the broader picture. They also have pressures on them which go far beyond the prevention of cyber threats. As an industry, we need to talk their language and position cyber security and information assurance as a means of generating tangible benefit to the organisation in order that the business case will not only stand scrutiny but also have a much better chance of being accepted and thus funded.

About the presenter: Oscar O'Connor I am an experienced, commercially-focused senior executive with a strong track record in the development and implementation of business strategies and delivery against challenging objectives. A driven self-starter with a positive, can-do attitude, vision, dedication, intellectual rigour and proven expertise in relationship building at all levels from shop floor to the boardroom. Over the course of more than 20 years of professional experience I have worked in a wide range of sectors and blue chip organisations. Over the past 15 years, I have been published by IT Week, British Standards Institution, Business Continuity Institute, Global Continuity, Continuity Insurance and Risk, Superyacht Owner and the Confederation of British Industry. Company: Security Risk Management Website: Newcastle-Upon-Tyne

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business. This is a new talk and it can be filmed and released.

Page 31: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.30

Mesh Stalkings: Hacking with a Mesh Network of Low-power ARM Devices By Phil Polstra (@ppolstra)

Abstract: This presentation will show attendees how to use The Deck, an Ubuntu-based full-on penetration testing and forensics distro which runs on the BeagleBoard and BeagleBone family of boards, in a connected mesh network. The Deck is an open source system which debuted in London in September 2012. It contains hundreds of tools which have been ported to the ARM platform. Having a full system (complete with X Windows) in a small low-power package allows for great flexibility in penetration testing. The Deck can be run for days to weeks off of battery power. An entire penetration testing platform can be housed in a small child's lunchbox. This presentation will focus on the MeshDeck addon to The Deck. The MeshDeck adds ZigBee networking capabilities to The Deck. The addition of the MeshDeck adds considerable power and flexibility to an already powerful system. For example, a few BeagleBone versions of The Deck can be outfitted with ZigBee radios and then dropped at a customer site where they can run off battery power for an entire pentesting engagement while sending information on which networks/passwords/etc. they have cracked back to the pentester who is sitting in his car a mile away running TheDeck on his BeagleBoard complete with 7" touchscreen. This entire setup can bit fit into two lunchboxes. Attendees will leave with a better understanding of what is possible with small, low-powered devices. Attendees will also get an idea of what is required in order to port a Linux distro and/or applications to a new platform. An overview of ZigBeemesh networks will be presented. To get the most out of this presentation attendees should be familiar with penetration testing,and Linux. Experience programming in C would also be helpful, but not required.

About the presenter: Phil Polstra Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since.Phil currently works as a professor at a private Midwestern university. He teaches computer security and forensics. His current research focus involves use of microcontrollers and small embedded computers for forensics and pentesting. Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. Phil is also an accomplished aviator with several thousand hours of flight time. He holds 12 ratings including instructor, commerical pilot, mechanic, inspector, and avionics tech. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes. Company: University of Dubuque Website: http://ppolstra.blogspot.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 32: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.31

SMEs: The Hackers Preferred Target By Richard Henson (#IASME1)

Abstract: It ha been a matter of continued concern that hackers seem to be able to find their way into corporate systems and "allegedly" engage in industrial espionage (or worse...) My own research has shown that a culture of "compliance" has arisen, which effectively addresses small business security matters on a tick box form (or worse... a self-signed tick box form). This is very much not in the spirit of ISO27001 which requires a system to be established and regularly maintained. IASME have tried to address the problem for SMEs by introducing a certification system based on ISMS principles. The talk will explain why we think contracts based on compliance are potentially dangerous, and how certification to a management standard is the way to go.

About the presenter: Richard Henson I was a teacher and academic before becoming ever deeply enmeshed in the contradictions and fascinations of Information Security... especially regarding SMEs. It was been my passion for the last five years to talk to anyone who will listen how SMEs are being left out of the debate about Information Security, and how SME interests need to be strongly represented in matters of planning about how to secure the nation's information infrastructure and make British business provably trustworthy to third poarties. The fact that this may be an impossible challenge has not deterred me thus far, and I have been working with some brilliant people to make this a matter of national concern and priority. Company: IASME Consortium Website: http://iasme.co.uk

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 33: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.32

Pen Test Automation - Helping you get to the pub on time By Rory McCune (@raesene)

Abstract: Time is always tight in Pen Test, there's a load of things to check and not enough time to check them, and then there's the delights of writing it all up for the report. If you want to get home (or to the pub) on time, getting good at automation is vital, from one line hacks to multi-hundred line scripts, some lines of code can go a long way. Tasks like parsing tool output and completing similar checks on large ranges of hosts are classic opportunities to save time and find important information quickly. This talk aims to look at how to approach some common test automation tasks and make scripts that'll stand the test of time.

About the presenter: Rory McCune Rory has worked in Information Security for the past 12 years and focused on security testing for the last 7. He has held posts in several large UK financial services security teams designing and delivering security testing services. He is currently a director at ScotSTS Limted a Scottish IT provider of security testing and application security consultancy services. Rory hold the CREST Certified Application Testing consultant. He is the OWASP Scotland chapter leader and presents regularly on technical security topics including application development security and penetration testing. Company: ScotSTS Limited Website: http://www.scotsts.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 34: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.33

Make Cyber-Love, not Cyber-war. By Stephen Bonner (@stephenbonner)

Abstract: As the second-highest-rated speaker last year, I'd like to think I could just write 'It's Stephen Bonner, vote for this talk and there will be chocolates and weird outfits' but I want to be the highest rated this year; so get ready for an extravaganza of Gaussian proportions as I reveal the past, present and future of cyber-war and what we can all do to protect and survive in the new code war.

About the presenter: Stephen Bonner Stephen Bonner is a Partner in the Information Protection team at KPMG where he leads a team focused on Financial Services. Before KPMG he was Group Head of Information Risk Management at Barclays. He was inducted into the InfoSec “Hall of Fame” in 2010 and was number 1 on the SC/ISC2 ‘Most Influential 2010’ list. Company: KPMG Website: www.kpmg.co.uk/security

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Any Geek. This is a new talk and I’m sorry but can’t be filmed (only for those attending).

Page 35: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.34

Thunder bolts and lightning By Stuart Thomas

Abstract: So called Cloud computing is becoming the financial directors sunny dusk for the IT department. But does the Cloud matter, is IT dead, and what can you do about it anyway? This talk walks through some shady experiences and booby-traps with using the Cloud (for any public/private entity), trumps the benefits and points out some of the thunder clouds on the horizon. It’s not all a bad forecast, there is a chance of sunshine.

About the presenter: Stuart Thomas From playstation to nuclear power stations, Stuart has secured and improved security for protecting sick notes, paper clips, a London stock exchange, banking and insurance infrastructure, ticketless travel on the London Underground to fissile material (indirectly). He has worked as an ethical hacker, volunteered as a human rights worker for the MoJ, trained as a solider, and is now a CISO for a logistics and supply chain company. Stuart has 20 years of experienced, and has helped clients of and worked for for PwC, Reuters, London Stock Exchange, and BSkyB. Company: Indepedent

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 36: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.35

Giving birth to a SOC By Stuart Thomas

Abstract: Threat and Vulnerability Management? No team, no budget, no monitoring? Is it the end of the world? What I did to help protect customers, the business and IT. This talk will tell an anonymised story of how I established two SOCs (Security Operations Centre's), with staff who hated me, management who didn't understand me, and how I turned it all around to help protect the business and get recognition from the board down.

About the presenter: Stuart Thomas From playstation to nuclear power stations, Stuart has secured and improved security for protecting sick notes, paper clips, a London stock exchange, banking and insurance infrastructure, ticketless travel on the London Underground to fissile material (indirectly). He has worked as an ethical hacker, volunteered as a human rights worker for the MoJ, trained as a solider, and is now a CISO for a logistics and supply chain company. Stuart has 20 years of experienced, and has helped clients of and worked for for PwC, Reuters, London Stock Exchange, and BSkyB. Company: Indepedent

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 37: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.36

You portscanned, you got a lot of data, now what? By Tiago Henriques (@balgan)

Abstract: On this presentation, Im gonna talk about portscanning, I'm gonna base this talk on a recent study I did with my research team for the country we live in (Portugal) , but am not just gonna talk about the actual portscanning but rather about the entire process, from setting up the tools to do it, doing the portscan, and storing the data. I am then gonna explain how me and my team developed a tool to make this data accessible, searchable and updated in a FAST and AUTOMATED way using opensource tools only! I will also talk a bit about how you can combine data from portscans with other sources of data from an attackers point of view to help you compromise all sorts of targets from a country. This talk will be combined with a live demo with the tool that we're currently developing.

About the presenter: Tiago Henriques Tiago 'Balgan' Henriques currently works for 7 Elements as a Security tester and researcher. At the university he did some part time lecturing on a different range of topics, from Computer Security, to Networking and Cryptography. His main interests are: Cryptography, Pentesting, Information Security, Computer Security and Forensics, Vulnerability research. On his spare time, he is the leader of a security research team Portuguese Core Security (http://ptcoresec.eu). Company: 7Elements Website: www.ptcoresec.eu

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 38: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.37

Playing CTFs for fun & profit By Tim P (@impdefined)

Abstract: Want to know what's involved in playing a Capture The Flag contest? These competitions are a great way to put your skills into practice, and learn a lot along the way! I'll be talking about CTFs and wargames in general, and then going through some of the 44CON CTF 2012 challenges in detail. There will be code! Note that this will be an expanded version of the talk I gave at DC4420 in November 2012.

About the presenter: Tim P By day I'm a software developer. By night I like taking things apart and seeing how they work. I got interested in wargames and CTFs about 18 months ago, and have played and learned a lot in the last year and a half. This year (2012) I won the 44CON CTF and went home with some sweet lewt.

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies. This talk has been presented at other conferences and it can be filmed and released.

Page 39: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.38

Cracking and analyzing Apple iCloud protocols: iCloud backups, Find My iPhone, document storage. By Vladimir Katalov (@vkatalov)

Abstract: Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user. Backups: iCloud suggests backing up iMessage, SMS, photos and videos, device settings, documents, music and other things on-the-fly which is useful for syncing or restoring in case your iDevice is lost or damaged, however there is only one way to access iCloud backup data by organic means - you can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now we can show you a method to simply download everything onto any desired computer at hand, provided we have Apple ID and password. Find My iPhone: this application was also meant to help you track your own iDevices geographically and should be available strictly to the user under his/her own Apple account, however there is a way to get geo-location data having neither Apple device tethered to that account readily available nor access to iCloud website. If location services are switched on, geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other), which I'm also ready to demonstrate. Storage: apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage, for example, some application files (e.g. data generated by SoundHound) you may have on your iPad or whatever won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly and even without launching a work session in iCloud. Conclusion: iCloud stores large amounts of information and before now access to this info was restricted either by the necessity to have iDevice available or by using Internet and web-browser (knowing Apple ID and password is required). Now, that we have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and download iCloud data and its changes in standalone mode.

About the presenter: Vladimir Katalov Vladimir Katalov is CEO, co-owner and co-founder of ElcomSoft Co.Ltd. Born in 1969 and grew up in Moscow, Russia. He studied Applied Mathematics in Moscow Engineering-Physics Institute (State University); from 1987 to 1989, was Sergant in the Soviet Army. Vladimir works in ElcomSoft from the very beginning (1990); in 1997, he created the first program the password recovery software line has started from: Advanced ZIP Password Recovery. Now he coordinates the software development process inside the company and develops strategic plans for future versions. Company: ElcomSoft Co.Ltd. Website: www.elcomsoft.com

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 40: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.39

An optimised and versatile approach to password cracking today By Yiannis Chrysanthou

Abstract: This presentation briefly describes the most popular password cracking techniques. It then suggests an optimized attack that combines several techniques with best performance in mind. The presentation suggests the use of Markov Chains for password recovery, in combination with a range of other modified versions of common attacks. All attacks work together and make use of common resources such as Dictionaries, and Rulesets to achieve the most optimal output possible. The result is a dynamic, highly flexible and robust attack that can be used by anyone with average computer literacy and limited resources within reasonable time. The attack is then put to the test against database dumps containing hashed passwords from recent leaks made public and subsequently results are presented.

About the presenter: Yiannis Chrysanthou Yiannis has been an information security professional for 5 years. He is now working as a penetration tester at KPMG. Yiannis is a member of team Hashcat, winner of "Crack me if you can" competition at Defcon and winner of Positive Hackdays / Hashrunner. He has also been maintaining a highly ranked password recovery website of his own for the past 6 years. Yiannis has a BSc in Computer Science and an MSc in Information Security. He has recently received an award for his MSc thesis on password cracking. Company: KPMG

The presenter says... The level of difficulty of this talk is 3 and I consider it is suitable for Techies, Business, Any Geek. This talk has been presented at other conferences and I’m sorry but can’t be filmed (only for those attending).

Page 41: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.40

Crossing the divide - why there needs to be less security people in IT By Andreas Lindh (@addelindh)

Abstract: In this talk, I will try to highlight the growing division between security and the rest of IT and the consequences it has for businesses. I will talk about how IT needs to integrate security into its education of staff instead of having it as optional add-ons (if any at all), and that security education needs to contain both theoretic parts (when to do what and why) and hands-on parts (how to do it). I will also show some real-world examples that could have been avoided if the involved people would have had even a basic understanding of the consequences of their actions security-wise. Finally, I will present the theory that if the average technician or developer had a better grasp on security, there would be less need for security experts and a higher level of productivity over all.

About the presenter: Andreas Lindh Security consultant / architect at ISecure Sweden AB and former security consultant, perimeter protection manager and infrastructure architect at Volvo IT Sweden. Opinionated security enthusiast, member of OWASP Sweden (even though I'm a crappy coder), musician, father, and all-around nice guy. Company: ISecure Sweden

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 42: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.41

The History, Psychology and Techniques of Advergaming By Chris Boyd (@Paperghost)

Abstract: In game advertising is becoming more visible (and in some cases, more intrusive) in the world of console, PC and mobile gaming. In many cases, disclosure related to what's happening with your PII is as bad (if not worse) than the poor practices of the Adware industry prior to clean ups brought about by the FTC and the NYAG. Where is your data going? What are you consenting to when installing that "free" app? Which advertising networks are serving you "relevant" targeted advertising while playing the latest FPS? What psychological tricks are deployed to ensure advertising is served up throughout your gaming experience without you even realising it? From the first in game ad from 1978 to the present day where as many as 40+ EULAs compete for your attention while installing a "free" game, this presentation will look at the history, development and current state of in game advertising and how it affects you. Secret bonus level: What common PC scams and attacks will work just as well on a games console? (Please note: Some aspects of this talk have been covered at a recent conference but assuming you weren't one of 250 people in a hotel in Cebu Island, you won't have seen those slices of content at a conference before).

About the presenter: Chris Boyd Christopher Boyd is a Senior Threat Researcher for GFI Software, former Microsoft MVP in Consumer Security and former Director of Research for FaceTime Security Labs. He has given talks at RSA, RootCon and SecTor, and has been thanked by Google for his contributions to responsible disclosure. Boyd has been credited with finding the first instance of a rogue web browser installing without permission, the first Twitter DIY Botnet kit and the first rootkit in an IM bundle. Company: GFI Software Website: www.gfi.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 43: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.42

Practice What You Preach, or Stop Quoting Sun Tzu By Dennis lemckert (@dlemckert)

Abstract: Helping organizations to embed secure by design systems in an existing infrastructure, or getting a security incidents response team up and running brings me into contact with lots of people in the security trade. Fortunately most know what they're doing. Unfortunately though, some don't. Lack of knowledge on their part seems to be masked by abundant use of platitudes, buzz-words and the famous quotes of Sun Tzu. The latest hype in computer security: Cyber Warfare is not any different. But, all by itself, it introduces a whole slew of new buzz-words, phrases borrowed from the military. My own military background, in combination with my current work, organizing and implementing a security incident response team, made me create a list of commonly heard/read phrases. This tongue-in-cheek talk will show a few, explain their current use in the industry compared to their actual meaning from the military. Hopefully, this talk helps the security professionals to update their buzz-word bingo cards and to out-wit the fast-talkers. But, aside from that, I try to show some actual doctrine, which CAN be learned from the military, because sometimes a soldier from the BC era actually does have something to teach the modern computer guy.

About the presenter: Dennis lemckert Working in the ICT business for almost 20 years, of which almost 12 are in or near the Security Business, Dennis has a relentless no nonsense approach on how to do security. He's mostly schooled in the field, but he followed courses at the Carnegie Mellon University as well. Telling others how to do it right however, severely cuts into the time to play with the latest cool tools, so nowadays he spends most of his time writing documentation, both technical and non-technical, running awareness courses, teaching both technical staff and management and analyzing incident analysis processes. Website: www.dlemckert.nl

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 44: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.43

Firmware - the overlooked attack vector By Ian Williams (@fishermansenemy)

Abstract: To borrow a metaphor from pop culture, the operating system is the world that has been pulled over your eyes. Before you get to the logon screen a number of other systems have already booted and are running code. You don't get to see them, you don't get to talk to them and if they are working properly you never even know they are there. This also usually means that they are ignored by defenders and could be leverage by bad guys to do many lulz worthy things. In this presentation I will give an overview of the types of firmware that may be running in your system and the ways that they have been subverted by bad guys to bypass your defenses. I will also look at the other oft ignored systems such as routers and TV tuner cards which have had their firmwares altered to give greater functionality to their owners. Lastly I will address what you should do to make sure that *every* part of your system is running what you think it is.

About the presenter: Ian Williams Ian is a newly minted penetration tester a security researcher based in Birmingham, UK. After spending 13 years in IT administering systems and 5 years defending them he decided to take the leap to the dark side and is now rattling electronic door handles for a living. Ian is an active board member with the OWASP Birmingham chapter and is hoping to break his con speaking cherry at BSides London 2013 Company: Xiphos Research Website: fishermansenemy.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 45: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.44

Get off my lawn: reporting internet abuse and getting something done By James Davis (@JanetCSIRT)

Abstract: Back when t’internet was all fields and the Internet was an academic playground site administrators used to be a lot more diligent about reporting abuse and helping others keep their networks secure. Now port scans, abuse, malware and a lack of action from ISPs seem so common that we’ve almost become apathetic about reporting what we see. But from another angle, these reports and intelligence are absolutely vital to organizations that are passionate about fighting abuse and keeping their networks secure. Each report not sent represents an opportunity lost to learn from our mistakes and educate the Internet community. Sometimes it can be the first sign of an incident missed by more traditional security controls. In this talk I cover what you should expect when reporting abuse to service providers. What information is needed, what formats are acceptable? What happens when this process breaks down, and what should you expect when things go well? Where can you go to for help and support? Just what lengths can you go to to help you get the action you need from another network operator? How do you reliably trace an upstream provider? How can you as a network operator make it easy for others to report incidents to you?

About the presenter: James Davis James Davis joined Janet, the UK's research and education network, in 2006 and is now a senior member of the CSIRT team. Janet CSIRT is responsible for coordinating the response to security alerts across the Janet network, which serves over 18 million end users. With six years' experience in dealing with compromised servers and malware outbreaks, to denial-of-service attacks and data exfiltration, James has been asked to speak at a number of events including BSides London, FIRST (first.org) and several Janet conferences. Company: Janet Website: https://www.ja.net/products-services/janet-connect/csirt

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 46: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.45

How to build a personal security brand that will stop the hackers, save the world and get you the girl By Javvad Malik (@J4vv4D)

Abstract: You're a security professional, but even your boss doesn't remember your name. Your brilliant ideas aren't listened to, you're never invited to speak at conferences and not even your mother visits your blog. In this talk I will take you down a journey of self-discovery that took me 3 years and went from another faceless security dude, to someone in control of my personal security brand. What worked, what didn't work and all the behind-the-curtain magic exposed. If you're into building your personal brand, making your voice heard amongst the 100's of security 'rockstars' and dinosaurs who get all the attention - this is the talk for you to attend.

About the presenter: Javvad Malik Javvad Malik is a Senior Analyst in the 451 Enterprise Security Practice, providing in-depth, timely perspective on the state of enterprise security and emerging trends. Prior to joining 451 Research, he was an independent security consultant, with a career spanning 12+ years working for companies including NatWest Group, Royal Bank of Scotland Group, Halifax Treasury Services, Tesco Bank, Lloyds Banking Group and BP. Javvad is an active blogger, video blogger and contributor to the information security community. His articles have been published in several online and offline publications and a coauthor of The Cloud Security Rules book. Javvad was a founder of the Security B-Sides London conference, and in 2010 was named as a finalist for SC Magazine's Blogger of the Year award. Company: 451 Research Website: www.J4vv4D.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 47: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.46

Running an Information Security Function effectively By Jitender Arora (@jee2uu)

Abstract: A security leader is faced with many challenges today, they have to be an expert on subject matter, stay on top of new technology developments and emerging threats, they have to hire the right talent, they have to retain their team, motivate their team because they are people and not just assets, build effective relationships with business community, build strong rapport with key decision makers and list goes on. There is always a thought on back of his/her mind, Am I running my function effectively? Can I improve things to make my team more efficient? We will be looking at core fundamentals that are key ingredients for the secret recipe of Running an Information Security Function effectively.

About the presenter: Jitender Arora Mr. Arora is an Interim Executive at GE Capital and is currently leading security transformation programmes at GE Capital EMEA to drive information security maturity across EMEA businesses. He has 12 years of experience in Information Security and Risk Management working within Financial Services, Manufacturing, Logistics, Technology and R&D. In his previous roles, he has been responsible for defining and executing information security strategy for the respective business areas that included conducting strategic review of the security function to assess their maturity, preparing business cases to secure funding for security improvement programmes to address identified gaps, presenting business cases, negotiating with senior stakeholders and managing these improvement programmes. Company: GE Capital EMEA Website: https://www.linkedin.com/in/jarora

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business. This talk has been presented at other conferences and I’m sorry but can’t be filmed (only for those attending).

Page 48: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.47

Data Exfiltration : Ninja way By Pedro Lagun (@p_laguna)

Abstract: These days with the daily Anonymous leaks on Pastebin companies are facing the challenge to protect their networks and corporate machines to avoid internal users (or attackers...) releasing their most darkest secrets. In this session we'll discuss the different techniques to exfiltrate data from a corporate environment using so-called ninja techniques: obscure ways to send data to the internet avoiding possible IDS and corporate restrictive policies.

About the presenter: Pedro Lagun I has been working for more than 5 years on computer security, focusing mostly on web security but never forgetting about other disciplines. I'm what you can name a "security geek", always thinking the way to break things and to bypass possible limitations on software, hardware and real life. Company: Pentura

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business. This talk has been presented at other conferences and it can be filmed and released.

Page 49: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.48

Is Security Awareness A Waste of Time? - A Monologue By Rohyt Belani (@rohytbelani)

Abstract: People continue to click on links, open file attachments, and even give up sensitive data for chocolates and candies - hence the advanced threat actors (did I just say that) succeed. Why is that? Are we wasting our time and money trying to get them to help the company's security posture? In this presentation I will present both sides of the argument with empirical data and my strong opinions, ofcourse, as evidence to make arguments. You will be free to reach your own conclusions.

About the presenter: Rohyt Belani Rohyt is co-founder and CEO of PhishMe, Inc. He is a geek, who dorns a suite (when needed), with withdrawal symptoms. Prior to PhishMe, Rohyt co-founded and ran Intrepidus Group, a mobile security company that was acquired by NCC Group PLC. In past lives he hacked networks, applications, reversed malware, and helped put bad guys in jail. He has a Masters from carnegie Mellon University and a bunch of expired security certifications. Company: PhishMe, Inc. Website: www.PhishMe.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Techies, Business. This is a new talk and it can be filmed and released.

Page 50: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.49

Subversive Cyber Warfare By Sven Herpig (@z_edian)

Abstract: Cyber Warfare has been existing for two decades now and is still one of the most under-developed fields in strategic studies. Due to its unique nature on the junction of military and technology, frictions and tensions keep growing while holistic studies are rare. This talk will discuss cyber warfare, using a political, a military and a technological perspective to shed some light on its underlying nature, strategic implications and use for subversive actions such as the Olympic Games scheme of the United States. The presentation aims to cover all aspects of subversive cyber warfare starting with a definition and continuing with stakeholders and their motivations, technologies and the unique features, strategic and political implications and ending in a brief showcasing of the Olympic Games within this discussed framework.

About the presenter: Sven Herpig • PhD Researcher on the Strategic Implications of Cyber Warfare at the University of Hull (GB) • Information- and Communication Technologies Freelancer • Lecturer for International Relations and Technologies • Presented at the Royal Military Academy of Sandhurst, the CCC hackover and the rootcon

hacker and security conference Company: Freelancer Website: www.zedian.info

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 51: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.50

Bust Your Risks (And Keep Senior Management Happy) By Thom Langford (@tandtsec)

Abstract: So you have security risk management programme, now what? With a collection of risks, ratings and mitigating controls clearly recorded, why are they not getting fixed, reduced or even acknowledged? This session looks at the steps you can take to ensuring your programme is a key part of your company’s strategy. Take a closer look at where you are today, the information you gather and the knowledge it provides to the company. What then can you do to present your findings in a language they understand and can act upon. What should you actually be presenting to senior management in the first place, and how often? And as you start to see more traction with them, how can you ensure long term success? Bust some moves and bust your risks!

About the presenter: Thom Langford Thom is currently the Director of Security Risk Management in Sapient's Global Security Office, responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. With nearly twenty years' experience in IT and Information Security, Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Website: www.tandtsec.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 52: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.51

Bust Your Risks (And Keep Senior Management Happy) By Thom Langford (@tandtsec)

Abstract: So you have security risk management programme, now what? With a collection of risks, ratings and mitigating controls clearly recorded, why are they not getting fixed, reduced or even acknowledged? This session looks at the steps you can take to ensuring your programme is a key part of your company’s strategy. Take a closer look at where you are today, the information you gather and the knowledge it provides to the company. What then can you do to present your findings in a language they understand and can act upon. What should you actually be presenting to senior management in the first place, and how often? And as you start to see more traction with them, how can you ensure long term success? Bust some moves and bust your risks!

About the presenter: Thom Langford Thom is currently the Director of Security Risk Management in Sapient's Global Security Office, responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. With nearly twenty years' experience in IT and Information Security, Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Website: www.tandtsec.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 53: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.52

UFOs, Dirty Dancing and Exploding Helicopters - Understanding Risk Management Hollywood Style By Thom Langford (@tandtsec)

Abstract: Do you know your Bruce Willis from your Bruce Schneier, or your Gone With the Wind from your Gone Missing in the Post? Using Hollywood as a backdrop this presentation illustrates the various principles of risk that can be used to underpin a successful risk management programme. Exploring concepts crucial to supporting the success, and failure, of your risk management programme, we look at how technology can be used, and abused, to meet your company’s goals; we see if your organisational structure itself is conducive to your success; and we review where the tips, and traps, of running a successful risk management operation lie. UFOs, Dirty Dancing and Exploding Helicopters - Understanding Risk Management Hollywood Style, showing now at BSidesLondon!

About the presenter: Thom Langford Thom is currently the Director of Security Risk Management in Sapient's Global Security Office, responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. With 18 years' experience in IT and Information Security, Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Company: Sapient Corporation Website: www.tandtsec.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 54: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.53

Are You Bad Boys or Tango & Cash? Approaching Your Risk Assessments for Success. By Thom Langford & Kai Roer (@tndtsec & @kairoer)

Abstract: Are you the good cop or the bad cop when it comes to how you carry out your risk assessments? Do you advise, coach and encourage? Or do you stick to the rulebook, call out the control failures and hand over your report? Perhaps you have only ever the bad cop in the room and want to understand why? Focussing on communication techniques specific to the information security industry, drawing upon examples from interactions with the audience as well as real world examples the presenters will help people from both sides of an assessment communicate more effectively, understand their own motives and behaviours, and therefore allow them to be more impactful in their working environment. The presenters look at both the good cop and the bad cop to review where each approach is effective, and perhaps more importantly when they are not. Being able to “talk to the business” in terms that are understood is often highlighted as an essential skill often missing in the information security industry, and not least during a risk assessment! This presentation gives the skills, knowledge and smarts to get the most out your risk assessments.

About the presenter: Thom Langford & Kai Roer Thom is currently the Director of Security Risk Management in Sapient's Global Security Office, responsible for highlighting and advising on delivery, compliance and industry security risks across North America, Europe and India. With nearly twenty years' experience in IT and Information Security, Thom brings an often opinionated view of risk, both in assessments and management, but manages to do so with humour and pragmatism (mostly). Kai Roer has delivered information security related projects to multinational corporations in Europe since 1994. He is client centric in his advices.

• He has delivered product, program and project management solutions. • He’s worked as an analyst, architect, consultant, developer, and business developer. • Kai has managed teams of up to fifty people, developed organizational best practices, and

helped companies improve their processes. • He’s worked as a coach and mentor, developed and delivered training to customers, peers,

and employees. He is a certified trainer in JCI, training managers around the world. • He’s delivered successful projects on time and under budget – at higher than required

quality levels. Kai has delivered projects of multimillion € value to his clients, and founded the company Roer.com in 1994. His international experience helps his clients leverage cultural and regulatory differences. Kai’s seniority has resulted in a large, international network. Please visit Kai’s LinkedIn profile for the resume. Company: Sapient Corporation & The Roer Group Website: www.tandtsec.com & www.roer.com

The presenter says... The level of difficulty of this talk is 2 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 55: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.54

Beyond Social Engineering: Violating Trust Models Through Marketing By Aaron Crawford (@squirrelsnabrrl)

Abstract: In 2010 The Kansas City Infragard chapter, held Kansas City's first mock Cyber Warfare event called, Cyber Raid. There, an unfair advantage was had by a red team member, Aaron Crawford, who used an elevated form of social engineering, that not only fooled the blue team and event organizers but also the FBI agents present. Aaron shows how various trust models, training and experience are circumvented with new approaches to social engineering. He shows several real world examples such as, how a simple power strip and baby monitor can be combined to a cheap but undetectable listening device as well as new attacks with USB memory sticks. Aaron provides a new elevated playbook of what to look for in social engineering campaigns and how to prevent them. Session Objectives: Learn how to go further than the current social engineering standards and implement devastating attacks, as well as how to prevent these attacks. Aaron will show how to launch a zero cost USB memory stick attack, as well as construct hidden listening devices with common office products. In addition, he shows how various trust models can be violated through targeted graphic design and marketing via an attack scenario of a trade convention. The session will also entail the actual construction of a device for an attack. After the session, attendees will be able to arm their enterprise with new defenses for social engineering as well as to improve the caliber of their social engineering engagements.

About the presenter: Aaron Crawford Aaron Crawford eats, sleeps and continually drinks from the proverbial information security fire hose. This passion for IT and Information Security has him working for Lares and in his spare time he runs Squirrels In A Barrel, an independent training and learning resource for Information Security. His obsession for training and Social Engineering has led him to form the World Championship of Social Engineering. A global Social Engineering capture the flag contest that allows participants to learn and safely practice Social Engineering. Company: Squirrels In a Barrel Website: www.squirrelsinabarrel.com

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 56: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.55

FEED ME A CAT: Fun with office hardware By Graham Sutherland (@gsuberland)

Abstract: In this talk, we'll take a humorous look at the fun that can be had with office hardware. We'll look at printers, photocopiers, UPSes, projectors, air conditioning, lighting controls and a whole bunch of other devices you might find in your average office. These devices are often overlooked from a security perspective, and the "security" of some gadgets is nothing short of an unmitigated disaster. But wait, there's more! Not only will you get to take an amusing tour of the veritable derp-city that is the world of office hardware, but you'll get to see me do the presentation whilst wearing my trademark party hat! Disclaimer: No cats were harmed in the making of this presentation.

About the presenter: Graham Sutherland Developer by day, security researcher by night. Electronics tinkerer, internet activist, zombie eradicator, promulgator of useless facts, shrubbery inspector, bacon aficionado. Possibly still sane, though never been thoroughly tested. Wearer of party hats. Website: http://codeinsecurity.wordpress.com/

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Any Geek. This is a new talk and it can be filmed and released.

Page 57: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.56

Why Don’t You People Listen! By Jim Shields (@jimshout)

Abstract: Why Information Security Employee Awareness doesn’t work. Why do so many attempts to change employee behaviour fail? And is the only option to simply broadcast the messages and hope for the best? Even if they do listen – how do you measure the success of your efforts…? As a creator of several award-winning global campaigns for major companies, and leader of the consortium for the creation of “Restricted Intelligence” – an initiative to create a world-class campaign resource which will be widely available to companies globally, Jim Shields wants to demonstrate how to get through to people. The answer is screamingly obvious – but tricky to achieve without some self realisation. You are not a copywriter. You are not Eddie Izzard. You are not a Rock Star. You are Not Ridley Scott.* *Unless you are Javvad Malik In this rapid-fire presentation Jim will show (nay – perform!) new, never seen before clips of recent projects for major companies and give practical tips on how the communications you ARE making can be made more effective with just a hint of intimacy. Yes – they’ll make internal comms (and your boss) nervous – but they’ll work. They’ll also encourage your employees to become a mashup between Sherlock Holmes and The Mentalist, showing how their perception skills can be enhanced to deliver a powerful defence against phishing scams. He’s inviting a few of the performers from his talent files to perform real-time sketches about those hard to reach areas of training – such as social engineering, Mobile devices, safe internet use and those terrifying social media attacks… He’d have gotten away with it too, if it wasn’t for those pesky kids…

About the presenter: Jim Shields Jim has had a passion for filmmaking ever since he discovered that he could combine the images he was drawing (pastels mainly) with sounds he'd captured in jars. More recently he turned to making simple comedies for the "interweb" helping companies achieve notoriety despite their crushingly dull products and services. He owns and runs Twist & Shout Communications, based in Leicester and, of all places, Dallas, TX. He has made over 50 short films about information security. Company: Twist & Shout Communications Website: www.restrictedintelligence.com

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Business, Any Geek. This is a new talk and it can be filmed and released.

Page 58: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.57

Securing the Cyberspace By Jingwei Emil Tan (@EdgisSecurity)

Abstract: The rapid march of technology into every facet of our life has formed a whole new space – the cyberspace. Anyone with a computer device and Internet connection are able to connect to the cyberspace, entering a non-physical space of pure emotion and intellect. My presentation will look into explaining the how and why human can always be exploited in the cyberspace, and how we can ‘attempt’ to secure this whole new virtual space; by exploring studies and theories from the geography and psychology discipline.

About the presenter: Jingwei Emil Tan Founder of Edgis (http://edgis-security.org) - a non-profit security special interest group that encourages open source collaboration through online publications and educational programs. I’ve conducted and presented numerous workshops and awareness talks to University and Secondary school students in Singapore. Company: Edgis Website: http://edgis-security.org/

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Any Geek. This is a new talk and it can be filmed and released.

Page 59: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.58

The New Dimension Of Incident Response: Social Media By Neira Jones (@neirajones)

Abstract: Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked in June 2012 (http://blog.linkedin.com/2012/06/09/an-update-on-taking-steps-to-protect-our-members/) or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my blog posts, I wrote about incident response (http://neirajones.blogspot.co.uk/2012/02/incident-response-have-you-got-plan.html) and the importance of addressing the media in a timely manner. Whilst the draft NIST report SP 800-61 (http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf) gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...

About the presenter: Neira Jones With more than 20 years in financial services, Neira has directed many global change programmes, launched new products/services and managed process reengineering practices. She believes in change through innovation, team work and collaborative partnerships to generate both top-line growth & bottom-line profit. Neira particularly enjoys business turnaround initiatives and anything compelling in the digital space. Currently Head of Payment Security at Barclaycard, She is responsible for security compliance & risk management of circa 100K customers & 3rd parties. She enjoys public speaking & is regularly invited to speak to various audiences across industries & regions. She is the proud recipient of the SC Magazine Information Security Person of the Year Award 2012, was inducted to the Infosecurity Europe 2011 Hall of Fame and was voted on the top 10 most influential people in infosec by SC Magazine & ISC2 in 2010. She has been on the PCI Security Standards Council Board of Advisors since 2009 & has recently been appointed Senior Vice President, Cybercrime for the Centre for Strategic Cyberspace + Security Science. Company: Barclaycard Website: http://www.barclaycard.co.uk/business/accepting-payments/

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 60: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.59

The Unbearable Riskiness Of Being Social... By Neira Jones (@neirajones)

Abstract: The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information... That is, of course, a valid concern, and looking at a recent survey by Grant Thornton, such concerns are of course top of the list. As everyone agrees that this social media tidal wave is going to swallow us all up, we could reasonably assume that we are all already putting measures in place to retain some sort of control and manage our security and governance a bit better... Do we really know the risks?...

About the presenter: Neira Jones With more than 20 years in financial services, Neira has directed many global change programmes, launched new products/services and managed process reengineering practices. She believes in change through innovation, team work and collaborative partnerships to generate both top-line growth & bottom-line profit. Neira particularly enjoys business turnaround initiatives and anything compelling in the digital space. Currently Head of Payment Security at Barclaycard, She is responsible for security compliance & risk management of circa 100K customers & 3rd parties. She enjoys public speaking and blogging and is regularly invited to speak to various audiences across industries & regions. She is the proud recipient of the SC Magazine Information Security Person of the Year Award 2012, was inducted to the Infosecurity Europe 2011 Hall of Fame and was voted on the top 10 most influential people in infosec by SC Magazine & ISC2 in 2010. She has been on the PCI Security Standards Council Board of Advisors since 2009 & has recently been appointed Senior Vice President, Cybercrime for the Centre for Strategic Cyberspace + Security Science. Company: Barclaycard Website: http://www.barclaycard.co.uk/business/accepting-payments/

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 61: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.60

Thirteen Things I Wish I'd Known Thirteen Years Ago By Nick Drage (SonOfSunTzu)

Abstract: A talk for those who are new to the industry, or for those who aren't and want to heckle. In my thirteen years of experience of Information Security I've learnt many lessons along the way; I'd like to pass on thirteen of those lessons.

About the presenter: Nick Drage A former systems administrator, network administrator, firewall administrator, network architect, security architect, PCI QSA and security consultant - and having worked for companies of between three and three hundred thousand employees - Nick is now a CHECK Team Leader with Hewlett-Packard Enterprise Services. Company: Hewlett-Packard Website: www.hp.com

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 62: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.61

An introduction to Open Rights Group By Peter Bradwell (@openrightsgroup)

Abstract: Open Rights Group will be presenting an introduction to digital rights. Explaining what we mean by this term, looking at some of the key areas of concern for us, and explaining three current strands of Government technology legislation: the Communications Data Bill aka ‘The Snoopers’ Charter’, proposals for default ‘on’ network filters, and the Digital Economy Act and related copyright enforcement. We will talk about how these issues are relevant and what we, Open Rights Group, are doing to change the digital future of Britain.

About the presenter: Peter Bradwell Peter joined Open Rights Group, January 2011 to campaign for copyright reform. Before this he worked at the think tank Demos for four years, where he focused primarily on technology policy. He is the author of a number of Demos publications including Private Lives: A People's Inquiry into Personal Information, Edgeless University, and Video Republic. He co-founded the music project Hometaping in 2009, and has an MA with Distinction in Critical Theory and Politics from the University of Nottingham. Tweets @peterbradwell Company: Open Rights Group Website: www.openrightsgroup.org

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Any Geek. This talk has been presented at other conferences and it can be filmed and released.

Page 63: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.62

Respectful Disclosure By René Pfeiffer (@deepsec) & Anette Jelen

Abstract: All hacker events are platforms where new (or old) technology is discussed, created or put to a new purpose. The same is true for IT security events. The common ground is how to deal with people of different backgrounds. This is where things go very wrong and where (security) hackers have a lot to learn in order to transport their ideas to stubborn vendors, sales droids,politicians, journalists and all the others who weren't born with an Ethernet umbilical cord. A couple of conferences have adopted anti-harassment policies. Despite lots of good intentions to counter harassment few look at the problems buried several layers below the symptoms. This talk tries to address the failuresin communication, respecting others for what they are, the fine art oflistening, compensation of low self-esteem with technology, 1337hierarchies, interaction with strong personalities and culturaldifferences. Hopefully you will realise why sexism and other forms ofharassment are often only the tip of the iceberg and why the problems cannotbe solved by tweets, blog postings, policies and workshops alone. Any fraudster masters the fine art of communication better than some speakers at IT security events. Fraudsters cannot risk to alienate their audience, so why do honest speakers do it? Let's be curious and find out.

About the presenter: René Pfeiffer & Anette Jelen René was born in the year of Atari's founding and the release of the game Pong. Since his early youth he started taking things apart to see how they work. He couldn't even pass construction sites without looking for electrical wires that might seem interesting. The interest in computing began when his grandfather bought him a 4-bit microcontroller with 256 byte RAM and a 4096 byte operating system, forcing him to learn assembler before any other language. After finishing school he went to university in order to study physics. He then collected experiences with a C64, a C128, two Amigas, DEC's Ultrix, OpenVMS and finally GNU/Linux on a PC in 1997. He is using Linux since this day and still likes to take things apart und put them together again. In parallel universes he also teaches IT security at the University of Applied Sciences Technikum Wien, and he is one of the organisers of the DeepSec In-Depth Security Conference. Anette Jelen is a Fraud & ID Consultant at Experian Austria, since 2008. She has been involved with Fraud Prevention since the mid 1990s, when she was working at a telecommunication's Risk department with T-Mobile Austria. As Fraud prevention is all around profiling, decisioning and finding the weak spot, she got very attentive to human behavior in business as well as social circumstances. Since she has been working on an international level with corporates, financial institutions and TelCo's around the world, consulting, communicating and observing has become more than just a job, but a fascination. Company: DeepSec GmbH Website: https://deepsec.net/

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies, Business, Any Geek. This is a new talk and it can be filmed and released.

Page 64: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.63

Communication - you're doing it wrong By Steven van der Baan (@vdbaan)

Abstract: As pentesters we have to talk to various people within various functions, but all the solutions on found vulnerabilities are targeted at developers. And this is where we could improve ourselves (and what this talk will address).

About the presenter: Steven van der Baan Steven has worked as a programmer and software architect for more than ten years before crossing over to the other side (of the security fence). After that he helped a software services company to grow their own security unit for the last five years in which time he also became an active member within the OWASP community. He migrated to the UK on the end of the summer of 2012, so the intricate communication skills of the british are still a bit foreign to him, which he makes up with Dutch bluntness. Company: 7Safe

The presenter says... The level of difficulty of this talk is 1 and I consider it is suitable for Techies. This is a new talk and it can be filmed and released.

Page 65: Talks submitted

Catalogue of proposed talks for BSidesLondon13 Talk No.64

Memory board

Talk

Number

Description (Title/Presnter) My voting

preference

1

2

3

4

5

6

7

8

9

10

11

12

Don’t forget visit our website http://www.securitybsides.org.uk for voting information

See you April 24th 2013 for the next BSidesLondon!

The @BSidesLondon Crew