Ian Trump: Meaningful Measurement: It’s About Time We Got This Right

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Ian Trump – Meaningful Measurement: It’s About Time We Got This Right

That cyber-crime has driven the rise of malware during the last decade is not in doubt; how large that increase has been most certainly is. This measurement has, I would argue, been more speculative than evidential. The problem being that attempts to quantify malware usage are lacking any meaningful industry accepted standard when it comes to the metrics concerned.

When the numbers put forward by vendors, industry bodies and the media all vary so widely (not just between those sectors but within them as well), is it any wonder that any serious attempt to establish the scale, the cost or the impact of such attacks is doomed to failure? The disconnect between the reporting of cyber-crime and the actual metrics that are most important for both businesses under attack and the industry that exists to mitigate them will remain until the difficulties of comparing oranges with apples become apparent.

Attempting any such comparative exercise is fraught with peril and serves to highlight where we, as an industry, are getting our metrics wrong; the largely accepted cost per record breach metric is far too broad a brush to paint any kind of recognizable real world picture. When reporting and discussing the scale and impact of cyber-crime it is imperative that we move away from sensationalizing of one part of the story or consequence of the breach, that which will create the biggest search engine feeding frenzy. Who the criminals were is of less import than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim.

The measurement metric dial has, ultimately, moved too far towards attribution and needs to be reset to prevention and a business-based analysis of risk once more. That business-based analysis itself needs to be more realistic, so there also has to be a move away from the kind of threat intelligence reporting which is almost exclusively dominated by data derived from the large enterprise sector and consequently of little relevance to the Small and Medium Enterprise (SME) market.

The data upon which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to become more relevant across all business sectors. If we continue to go down the road of never disclosing or identifying the security components that failed or the components that were not in place when a breach happened, we will never make any progress against an elusive enemy.

Ian Trump, CD, CPM, BA is an ITIL certified Information Technology (IT) consultant with 20 years of experience in IT security and information technology. As a project and operational resource, Ian has functioned as an IT business analyst, project coordinator and as a senior technical security resource as required. Ian’s broad experience on security integration projects, facilitating technological change and promoting security best practices have been embraced and endorsed by his industry peers.

From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. His previous contract was managing all IT projects for the Canadian Museum of Human Rights (CMHR). CMHR is the first museum solely dedicated to the evolution, celebration and future of human rights – it is the first national museum to be built in nearly half a century, and the first outside the National Capital Region.

Currently, Ian is the Global Security Lead at LogicNow working across all lines of business to define, create and execute security solutions to promote a safe, secure Internet for Small & Medium Business world wide.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Azhar Desai & Nicholas Rohrbeck: Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Azhar Desai & Nicholas Rohrbeck – Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!

Using honeytokens to detect breaches is an old idea that has been sporadically spoken about (and implemented less often). Despite recommendations from the occasional consultant, honeytokens have not been adopted as widely as they should have. This needed to change. In 2015, we released Canarytokens (http://canarytokens.org) to bring about wider use of tokens.

Canarytokens natively supports web bugs, DNS tripwires, SQL row tokens, document tokens and a handful of other friends. Via a simple web interface, several thousands of these tokens have been deployed worldwide (and a number of breaches have been reliably discovered). Considering that most tokens can be deployed in under 5 seconds, this was already pretty good ROI.

This year, tokens go much further. From abusing native OS functionality to bending cloud infrastructure, this talk covers work done in our new quest to “token all the things”. We’ll show infrastructure we built for users to easily set tripwires around their network without installing agents, deploying hardware or spending a cent. AlonAzhar Desai Speaker Photog with file format chicanery and old fashioned web-app-abuse, we will show new techniques (and defensive hacks) that you can use to detect breaches on your networks.

Azhar writes and runs software with a security bent at Thinkst, an applied research company focusing on information security. He has, in the past, had fun presenting with others from Thinkst at conferences such as Troopers (2015) and HITB KL (2014).

Nick is a software developer at Thinkst Applied Research. Before arriving at Thinkst, he was primarily a Java developer, but now his days are filled with Python, network security research, DevOps tinkering and (badly) playing Go.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Juan Perez-Etchegoyen & Nahuel Sanchez : Attacks on SAP HANA platform

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Juan Perez-Etchegoyen & Nahuel Sanchez – Attacks on SAP HANA Platform

Companies nowadays are choosing between on-premise, cloud and hybrid deployment models. The common factor across all of these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database integrated with an application server that provides a new paradigm for vulnerabilities and risks, serving an increasing number of business applications, providing cutting edge features and overwhelming performance.

With the rise of IoT, many features and interfaces are integrated into SAP HANA and the HANA Cloud Platform, enabling it as a central point for IoT communications and making it an interesting target for anyone trying to access the information of several millions of devices across the world. Vulnerabilities affecting SAP HANA now have an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of these risks.

Join us for this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.

 

Juan Perez-Etchegoyen leads the Product teams that keep Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis’ innovative software solutions, and helps manage the development of new products as well as the SAP cyber-security research that has garnered critical acclaim for the Onapsis Research Labs. He is regularly invited to speak and host training at global industry conferences including Blackhat, HackInTheBox, Troopers, and SAP TechEd/DCODE. Prior to joining Onapsis, Juan led many Information Security consultancy projects for Companies in Latin America, EE.UU. and Europe. His strongest experience is in the field of Penetration Testing, Web Application Testing, Vulnerabilities Research, Information Security Auditing and Standards.

Nahuel D. Sanchez is a  security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent Nahuel Sanchez Speaker Photoreporters of vulnerabilities in SAP products and is a frequent author of the publication “SAP Security In-Depth”. He previously worked as a security consultant, evaluating the security of Web applications and participating in Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Steve Armstrong: Managing Incidents with CyberCPR

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Steve Armstrong’s workshop Managing Incidents with CyberCPR

CyberCPR provides a secure environment for incident responders to discuss incidents, exchange files, review incident progress, provide automated analysis of evidence items and a range of other time-saving features based on practical experience.

This will be a hands on workshop, with students participating actively, accessing the demo CyberCPR system, creating incidents and adding evidence. In the workshop we will show the various aspects of the tool and how to get the most from it.

During this workshop we will explain the background security of the system, the integrity monitoring of the database, the file encryption of all evidence in the file vault and how sensitive incidents (unauthorized internal data access or child pornography) can be processed on the same system.

At the end of the workshop the attendees will have a good understanding of the capability of CyberCPR and how to operate its key features. They will leave with a VM of the CyberCPR ready to run on a laptop of their choosing.

Steve began working in the security arena in 1994 whilst serving in the UK Royal Air Force. He specialised in the technical aspects of IT security from 1997 onward and, before retiring from active duty, he lead the RAF’s penetration and TEMPEST testing teams. He founded Logically Secure in 2006 to provide specialist security advice to government departments, defense contractors, the online video gaming industry, and both music and film labels worldwide.

When not teaching for SANS, Steve provides penetration testing and incident response services for some of the biggest household names in the high street, online gaming and music media. To relax Steve enjoys playing Battlefield and FPS games to loud music.

You can follow Steve on Twitter @Nebulator

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

44CON Community Evening

The 44CON community evening is back again this year and it’s FREE to attend and will be taking place on Wednesday 14th September from 6:30pm (registration from 6pm).

We have some great talks, workshops & networking opportunities – Yes the big red bus is back and this year the bar is being sponsored by Amazon! So make sure you stop by to say hello and grab a drink.

If you can’t make it to the full event but still want to be part of 44CON the community evening is the perfect opportunity. If you have  purchased your ticket for 44CON, it includes entry to Wednesday evening, all you need to do is turn up. If you can only attend the Wednesday evening then you will need to register here.

We look forward to seeing many of you soon!

Rebekah Brown: The Frugal Girl’s Guide to Threat Intelligence

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Rebekah Brown – The Frugal Girl’s Guide to Threat Intelligence

Threat intelligence can support incident prevention, detection, and response and contribute to an organization’s risk-based security posture, but unfortunately it has a reputation for being expensive and complicated to implement. Fortunately for those without bottomless pockets, threat intelligence doesn’t have to be a budget breaker, but building a cost effective capability does takes time, effort, and good old fashioned elbow grease. This talk will cover how to determine what level and aspect of threat intelligence to focus on, given your team, time, and goals. It will discuss how to identify the best open source, free, and low-cost intelligence resources for your organization and how to integrate them into operations. Attendees will leave this presentation with an understanding of some of the budget-friendly tools available to them, including threat intelligence platforms, information sources, analytic tools, and how to assess whether or not they are providing value to the organization.

Rebekah is the threat intelligence lead for Rapid7 where her responsibilities include program architecture, management, analysis and operations. Rebekah has spent over a decade in the intelligence community; her previous roles include NSA network warfare analyst, Operations chief of a United State Marine Corps cyber unit, and a Cyber Command training and exercise lead. She has helped develop threat intelligence programs at the federal, state, and local level as well as in the private sector and is a co-author for the SANS Cyber Threat Intelligence course.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Emil Tan: What it Means to Have the C Word in the National Security Agenda

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Emil Tan – What it Means to Have the C Word in the National Security Agenda

This is a highly non-technical talk.

What is the meaning of ‘security’? Words like ‘information security’, ‘cyber security’ and ‘critical (information) infrastructure protection’ have found their way into many countries’ national security agenda over the past few years. When, how and why did that happen?

Many countries have developed and published ‘National Cyber Security Strategies’ which outline how cyber threats are dealt with at the national level. Everyone is facing the same threats in cyberspace, yet we are all approaching it differently. Why?

My talk is not a linear narration of history. My talk aims to explore and explain this phenomenon, from a policy analysis angle, of how ‘cyber security’ became a national security issue and what impact this has on the future.

Emil started his career in infosec as a researcher at Singapore’s Defence Science National Laboratories, focusing primarily in the area of intrusion detection and deception. He was later appointed security administrator at a Security Ops Centre in the Ministry of Defence, Singapore. Emil then pursued his BSc Computer Science and MSc Information Security at Royal Holloway, University of London.

Emil is an active advocate in the infosec community. He founded Edgis, a special interest group, and is also a Chapter Member with The Honeynet Project. Apart from these commitments, he also actively gets himself involved in infosec groups and events such as BSides London, Null Singapore, etc.

Emil’s infosec foundation is highly technical, however he was also involved in other interdisciplinary studies during his university years, e.g. Political Science, Communication Science, Geospatial Theory, Psychology, etc. Emil now enjoys viewing the infosec world through this multi-disciplinary lens.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

CTF

This year we are delighted to announce that the Ministry of Justice will be running the CTF and they have some great challenges in store for you! Make sure you stop by and see them. 

Prison break – Season 6 coming soon!

Do you have what it takes to break into prison?MOJ_Logo_transparent (1)

This year the 44CON CTF is being hosted by the Ministry of Justice. Your challenge is to release your friend by “breaking in” to prison through a series of networking, web, infrastructure and other challenges.

We will host up to 20 teams of up to 5 people so, if you’re new, grab someone, team up or go solo to win a drone kit!

Our platform is over IRC to make this accessible to as many hackers as possible. This is where you submit flags and unlock rooms. Each team will have their own virtual environment so you can use whichever tools you want but, remember, you can only bring your machine down if you play unfair. No DoSing us or other teams!

Are you ready for the challenge?

Joe FitzPatrick & Joe Grand: 101 Ways to Brick Your Hardware

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

*As we were going to print we found out that unfortunately Joe Grand is unable to make it to 44CON this year; however, Joe FitzPatrick will still be presenting this talk.

Our next announcement is Joe FitzPatrick & Joe Grand – 101 Ways To Brick Your Hardware

Spend some time hacking hardware and you’ll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we’ve got decades of bricking experience that we’d like to share. We’ll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We’ll also talk about tips on how to avoid bricking your projects in the first place. If you’re getting into hardware hacking and are worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did.

Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio (grandideastudio.com).

You can follow Joe on Twitter @joegrand

Joe FitzPatrick has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at https://SecuringHardware.com, including Applied Physical Attacks on x86 Systems. In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects, which he presents at all sorts of fun conferences.

You can follow the other Joe on Twitter too @securelyfitz

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Keynote Talk: Saumil Shah – 2016: The Infosec Crossroads

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

The next announcement is our third Keynote: Saumil Shah – 2016: The Infosec Crossroads

Today’s attacks succeed because the defence is reactive. I have been researching attacks and offensive techniques for the past 16 years. As the defences kept catching up and closing open doors, we attackers looked for new avenues and vectors. This talk looks back on the state of defences during my days of One-Way Web Hacking in 2001 to Stegosploit in 2016, and a common pattern emerges. Defence boils down to reacting to new attacks and then playing catch-up. It is time to take another look at defense strategy. In this talk I present the basics of what should be the next evolution of pro-active defence architecture.

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients worldwide. Saumil has been an internationally recognised conference speaker and instructor for over 15 years. He is also the co-developer of the wildly successful “Exploit Laboratory” courses and authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil holds an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time playing Pacman, flying kites, travelling around the world and taking pictures.

You can follow him on twitter @therealsaumil

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!