Viktor Lindström – Passwords are dead! (workshop)

Posted on Updated on

viktorPasswords are dead! We all know it, they can no longer be trusted. Only this year, the well known Troy Hunt has made his point over and over and OVER again. Yahoo did a boo boo, Linked in did a boo boo, Dropbox did a boo boo… The list is so long it’s not even worth continuing, it’s just makes you sad. You will know it for real if you had a “friend” that had an account on Adult Friend Finder or Ashley Madison.
So lets step back and take a look at authentication, wouldn’t it be nice if were more like a real tangible item which, when activated grants you access when you uses it. It’s groundbreaking! IT’S U2F-ZERO! Take this chance and build your own 2 Factor Authentication Key, and use it for your Github, GMail or why not implement 2FA at your own webpage.

To be clear – This workshop actually contains soldering your own 2FA-device that works. Components are free. No equipment required. Limited seats.

Viktor Lindström has a passion for security, loves the offensive as well as the defensive side. Currently he focuses his daily work in the automotive industry trying to do more good than bad. He has worked as programmer, pentester, adviser and loves spread the word about security.


Posted on Updated on

lucas-lundgrenLucas Lundgren has a vast experience in IT security, with the “bad luck” (or tendency) to annoy companies by reporting vulnerabilities in their products. He started breaking things at the age of twelve, and has reported numerous vulnerabilities in various products. Having worked with penetration testing professionally for over 19 years, Lucas has held IT Security positions within companies such as Sony Ericsson and IOActive. He has also been part of Corelan Team before moving on to FortConsult (Part of NCC Group)

Lucas has been breaking everything from OS vendors and financials, and he has spent a considerable amount of time inside “impenetrable fortresses”. He is primarily focusing on penetration testing as well as fuzzing and exploit development, no matter the platform or medium, were he also has a passion for IoT and Smart Technology.

Ahmed Neil – Digital Forensics: Know your enemy and know yourself (workshop)

Posted on Updated on

vnuv4v9u-e1479406602696The widespread use of computers in many daily bases fields has caused computer crimes to increase. This allowed cyber criminals to maliciously attack vital computational infrastructure to obtain or misuse the information illegally. After a crime occurred in a computer device, an investigation process should take place to reveal what happened based on some evidence. It is used to solve a mysterious event to help the court ascertain whether the suspect is innocence or guilt. In this talk I will be showing various techniques to extract and investigate any digital evidence. I will also discuss some areas where an investigator can extract data from digital mediums.

Ahmed M Neil is a well known thought leader in application security and Digital Forensics whose work focuses on approaching to information security, Risk Analysis, and Digital Forensics. He holds a MSc in Information Systems – Computer Forensics, Mansoura University, Egypt. He is available to travel for the purpose of consultation with other experts in the field of security. He also is willing to train others so that they may share his methods, seminars, workshops and professional procedures.

Alex Inführ – PDF + the Web: What could possible go wrong

Posted on Updated on

Alex InfuhrPDF is a well-known file format in the world of PCs and even mobile phones.

This talk will focus on PDF Features in the context of the World Wide Web.

As soon as a PDF is opened in a Web Browser, the rules and security implication change.

The talk will discuss features like Formcalc, an easy to use language to access files on the same origin.

I will show how FDF can be used to steal a static PDF, which cannot influenced by an attacker at all.

Additionally some unfished research will be shown and a short glimpse, why Foxit Reader is even worse than Adobe Reader.

Alexander Inführ started his career as a Penetration Tester for Cure53 during his studies.

His research focus on modern Web Browsers and their used technology. Dies lead to a contract with Microsoft, where he worked with an external team, which was assigned to uncover flawes in Internet Explorer.

Today he is researching the Portable Document Format and modern PDF viewers. He presented his findings on conferences like BSides Vienna, IT-SECX, OWASP Appsec 2015 or HackPra.

Nanne Baars – WebGoat: Teaching application security 101 (workshop)

Posted on Updated on

Nanne BaarsA good defense against insecure code requires understanding the mechanics behind how attackers exploit simple programming mistakes.

The WebGoat team will walk through exercises like SQL Injection, XSS, ReDOS, CSRF, … and demonstrate how these exploits work.

We will show you how you can use WebGoat to train your developers to avoid these simple but common programming mistakes.

We also show you how to extend WebGoat to create lessons specific to your environment.

Join us to learn the most basic, but common, application security problems.

Björn Kimminich – Gothenburg pwns the OWASP Juice Shop (workshop)

Posted on Updated on

Björn KimminichOWASP Juice Shop is an intentionally insecure web app made for pentesting and security awareness trainings. It as written entirely in the most sophisticated, beautiful and secure language on the planet: Javascript! With reference to the OWASP Vulnerable Web Applications Directory it seems to be the first (intentionally) broken web app published using Express/Angular/Node! In this session you will…

…learn why and how the Juice Shop was created! (25min)

…join Joe Average on a regular customer’s shopping tour! (5min)

…actively search and mercilessly exploit vulnerabilities in the application… (120min)

…thus releasing lots of happiness hormones as more and more achievement notifications light up in bright green! (instantly during hacking)

…be shown some of the harder challenge solutions on stage (10min)

Please bring your own laptop with a local installation of OWASP Juice Shop to the workshop! The application can be run locally on node.js, as a Docker container or in a Vagrant VM: https://github.com/bkimminich/juice-shop#setup. You can also bring all your favorite pentesting tools! Or just your favorite browser! Both works fine for hacking the Juice Shop!

If someone feels like translating (https://crowdin.com/project/owasp-juice-shop) the application into Swedish before the OWASP Gothenburg Day, I’ll bring a Juice Shop t-shirt to the event and hand it over live on stage! For everyone else, there will be free laptop stickers and also pin-back buttons!

Björn is a “hands-on coding architect” working for over 10 years in the area of software development, IT architecture and application security. His most sophisticated open source work (https://github.com/bkimminich) is the intentionally insecure web application Juice Shop, which recently became an OWASP Tool Project.

Avi Douglen – Passwords, Rehashed All Over Again

Posted on Updated on

Avi DouglenPasswords suck.

It’s no secret – passwords are boring, passwords are weak, passwords are STOOPID. We all hate using them, we all hate building systems for them, we all hate breaking them, we all just hate dealing with them. Nevertheless, passwords are here to stay as the most common authentication mechanism. At least, passwords are a simple mechanism, and we all understand how to protect them well enough.

Then how come we keep getting them wrong?

Wait, whaaaat??

Not only are password protected sites usually flawed; not only are millions of passwords stolen more often than stupid cat pictures are posted to Facebook; not only does your mother reuse the same simple password everywhere – we, the security industry, keep giving bad password advice!

This talk will discuss popular misconceptions regarding how to secure passwords, even amongst security experts. We will also show some practical attacks against the common recommendations in this area. Finally, I will share the simple solutions that we should be recommending, and prove mathematically that they are correct.

AviD has always denied being a hipster, but when it comes to password misuse he is a downright cranky neckbeard.

During his many years as a developer, security lead, and consultant, he has been party to some pretty poor password practices. (Pretty poor password practice parties are not as much fun as you might think). Now, he is attempting to atone for that, and throws a hissy fit every time he encounters a site with counter-productive password practices. Stay on his good side and do the right thing.

For the past X years, AviD has been working as a consultant, supporting organizations of all sizes in integrating security methodologies and products into their development processes. He spends a lot of time doing security research, and often provides training on secure coding and other security topics. He is also a frequent speaker at industry conferences, such as OWASP and RSA.

AviD also leads the OWASP Israel chapter, is a community moderator on https://security.StackExchange.com/ , and a volunteers as a high school tech teacher.

Janne Haldesten – Please hold, your call is being rerouted: Vulnerabilities in the SS7 protocol

Posted on

Janne Haldesten SS7Signalling System No. 7 (SS7) is a set of telephony signaling protocols developed in 1975, which is used to set up and tear down most of the world’s public switched telephone network (PSTN) telephone calls. It also performs number translation, local number portability, prepaid billing, messaging and other mass market services.

While vulnerabilities in SS7 for tracking, interception and denial of service have been reported as far back as 2001, the overall impact of these vulnerabilities on various sectors has not been detailed publicly. The abuse of SS7 for the purpose of attacking individuals and infrastructure should be considered extremely serious.

Interception of voice can be done easily using SS7, being undetectable and unpreventable by the user with current technology.
Using techniques to deny data services could force users away from secure to less secure methods of communication such as GSM voice/data allowing interception.

This presentation will point out why we are vulnerable, the attack vectors as well as current ongoing mitigation efforts.

Janne Haldesten is a fairly seasoned security specialist at Cybercom Group who just loves offensive security and network forensics!
He has worked as an adviser and subject matter expert to various government organisations and corporations nationally and internationally in matters regarding national security, critical infrastructure protection, information assurance, incident handling and investigation.

Janne is also a fellow at the Cyber Security Forum Initiative (CSFI) as well as a co-teacher at the Chief Information Assurance Officer program (CIAO) at the Centre for Asymmetric Threat Studies at the Swedish Defence University (CATS/SEDU). Janne is an occasional guest lecturer at George Washington University and Halmstad University apart from public speaking engagements where he presented on SS7 in Washington D.C. late August this year.

Marielle Eide – The new General Data Protection Regulation – Are you ready?

Posted on Updated on

Marielle EideIn May 2018 a new data protection regulation (“GDPR”) will enter into force. GDPR includes, among other things, extended security requirements for personal data which companies need to adapt to, such as “privacy by design and privacy by default”. A company that doesn’t follow the rules risk getting administrative fines of up to 4 %, so it’s time to start preparing! During the seminar you will get a brief introduction to GDPR in general, and to the security requirements in particular. This seminar will give you basic knowledge and some practical advice that may help you and your organization along the way towards GDPR compliance.

Marielle Eide is lawyer specialized in IT, online and privacy law. She helps companies to achieve success in business by writing and negotiate good contracts and providing legal advice, including how to tackle the legal aspects of data protection law. Marielle is part of Delphi law firm’s IT law team which is top ranked in Sweden.

Lukasz Olejnik – (Ab)using Web Sensors: Privacy for the Modern Web

Posted on Updated on

Lukasz OlejnikFor majority of users, web browser is the most important computer application. Increasingly complex, exciting and rich, features are standardized by W3C and implemented in web browsers on a normal basis. New browser features introduce interesting privacy challenges for standardization, research and development. I will demonstrate privacy analyses of a number of web browser mechanisms, discussing the past, present and future. I will detail modern and advanced web browser functionalities allowing to access information about the user’s system or the details about the user’s behaviour and his direct surrounding. Increasingly complex data provided by web browsers may mean that privacy impact assessments will be the standard in web application development.

Lukasz Olejnik is a London-based security and privacy consultant and a researcher at University College London. He completed his Computer Science PhD at INRIA (France). Prior to that, he worked at Poznan Supercomputing and Networking Center, and CERN. His interests include information, computer security and privacy, especially web, mobile and Internet of Things and Web of Things security and privacy.

Lukasz published his works in top academic venues. He has publications spanning fields such as quantum cryptography, security and privacy. He authored a number of influential projects related to privacy. His recent project, SensorsPrivacy.com analyses privacy footprint of web sensors. Lukasz is a World Wide Web Consortium’s (W3C) Invited Expert where he works on privacy aspects of web standards. He advises to the National Security Bureau of the Republic of Poland’s Cybersecurity Expert Group.