Our CFP process has completed and we’re now putting talks and workshops up. We still have a few more to add, but there’s enough up to start checking out. So, what are we covering this year?This year’s talks are a heady mix of blue, red and purple team talks covering everything from bug bounties to hardware hacking, careers to cryptography and machine learning to mPoS. As always, expect to go from zero to hero, and get yer mind bent along the way. Here’s some of the talks we’re really looking forward to seeing.
[NEW] They’re All Scorpions – Successful SecOps in a Hostile Workplace by Pete Herzog
This talk looks at how we can shift our approach to SecOps to be (more) effective in places where it feels like nobody’s listening. Pete is a battle-scarred veteran of the world of information security, and doesn’t shy away from asking (and answering) the difficult questions.
[NEW] Catch Me If You Can: Ephemeral Vulnerabilities in Bug Bounties by Shubham Shah and Michael Gianarakis
Bug bounties are an industry hot topic, with many people finding it hard to get in due to automation. Shubs and Mike are coming all the way from Australia to talk to us about ephemeral vulnerabilities: vulnerabilities that may pop up and disappear after short periods of time. They’ll share their secrets on industrializing bug bounty hunting, and we’ve been working with our sponsors Bugcrowd to come up with a 44CON-exclusive bug bounty to help you get started. This is a great talk for those looking to get into bug bounties, and also for those defending Internet-facing services with dynamically scaling architectures. This talk may feature some of the 300 bugs these guys have found over the past few years, but sadly it would not be possible to fit them all into a 45 minute slot.
Ever make a payment using a mobile Point of Sale (mPoS) system such as square or iZettle? You know, the ones with the things that plug into some random person’s compromised phone that you use to make payments.
It turns out that some mPoS systems are not as secure as people thought they were.
It turns out that attacking some of these things isn’t hard.
It turns out that the cost of tampering with some of these things is about £8.
What could possibly go wrong?
[NEW] Weak analogies make poor realities – are we sitting on a Security Debt Crisis? By Charl van der Walt
Security is often framed in terms of risk, and we often back up our decisions with analogies. But are we genuinely using analogies correctly, or are we simply cherry picking to justify risk decisions? In this talk, Charl looks at our approach to analogies and risk management, and explores and compares the use of security debt as a decision-making tool.
Charl also has an incredible workshop on deploying Microsoft’s Sysmon to help detect and defend against bad things on your networks. In itself, this is a great example of using security debt as a way of measuring investment in existing tools and people over buying new shiny boxes.