Security BSides Athens 2023

BsidesAth Speaker

Talk #1

Hacking your favorite Kiosk

by A. Koureleas, G. Tyritidis, @fanky_4242

Abstract: The presentation covers the basic methodology that is used to perform penetration testing on Kiosk devices/applications targeting the operating system running on the device (widows, android etc.) as well as the application being used (Kioware, Moki kiosk etc). A demonstration will be performed on the different ways to perform Reconnaissance, Recognition, Physical Assessment, “Escaping” the Kiosk and finally Getting Access to the device.

Bio: Aristotelis Koureleas: Aristotelis is a Cyber Security consultant with a strong background in penetration testing. Holding an OSCP certification, he has dedicated himself to staying informed about the latest trends in the industry and advancing his skills. Currently employed at TwelveSec , Aristotelis works as an Information Security Consultant, where he assists clients in identifying and addressing potential security risks. He is passionate about exploring new technologies and techniques to improve security, and enjoys sharing his knowledge with others in the community.

George Tyritidis: George is a Junior Penetration Tester with two years of experience in Cyber Security. He is currently working for TwelveSec, where he assists clients every day in securing their systems through Penetration Tests. His main interests are doing Pentests and playing CTFs. George is a dedicated professional who is committed to staying up-to-date with the latest developments in his field in order to provide the best possible service to clients.

BsidesAth Speaker

Talk #2

Harvesting low hanging fruits in Red Teaming Exercises.

by Nick Kapellos, @kapellos

Abstract: As most Red Teamers will testify, a major objective of every TIBER-XX, Red Team and Assume Breach exercise is to gather up credentials in any way shape or form possible. After almost a decade of internal penetration tests, Red Teams, assume breach and TIBER exercises, common misconfigurations have emerged, from which we draw a number of quick wins to obtain those much-needed credentials as easily and quickly as possible. The talk will give illustrative lessons learned and past examples of easy ways to gather up the first, and most of the time, also the last credentials that an attacker will need during such exercises along with suggestions for remediation. Examples will be illustrated having in mind the Operational Security (OPSEC) side of things. By attending this talk, participants will acquire a quick-win list of password hunting techniques and remediation points.

Bio: Nikos has more than a decade of experience in the provision of advisory and assurance engagements. As multi-disciplinary professional, his areas of expertise include TIBER and Red Team exercises, Penetration Tests, Vulnerability Assessments, Cyber Risk projects, Internal Audits, IT Audits and Data Analytics projects. Nikos has gained rich experience in serving several domestic and international organizations in various sectors and industries i.e., Financial, Shipping, Energy, Telecommunications, Retail/Wholesale industry and more

BsidesAth Speaker

Talk #3

Who said that Python was UNIX Best Friend Only?

by Xavier Mertens, @Xme

Abstract: Python is a wonderful language, easy to learn, powerful and integrates perfectly with any operating system. Yes, who said that Python was only popular in UNIX environments? (read: Linux, macOS, etc). Today, there are more and more malicious Python scripts in the wild that work on Windows. They can interact with the webcam, keyboard to steal your data, they are able to interact with all Microsoft API calls and, therefore, preform more low-level action like process injection. Even ransomware can be developed in Python. You feel safe because Python is not installed on your workstations? No problem, Python can be installed easily from stage 0! In this talk, I'll present some findings that I collected for a while around Python malicious code in the Windows ecosystem.

Bio: Xavier Mertens is a freelance security consultant running his own company based in Belgium (Xameco). With 15+ years of experience in information security, Xavier finds “blue team” activities more attractive. Therefore, his day job focuses on protecting his customers' assets by providing services like incident handling, malware analysis, forensic investigations, log management, security visualization, and OSINT). Besides his day job, Xavier is also a Senior Handler at the SANS Internet Storm Center, Certified SANS Instructor (FOR610/FOR710), security blogger and co-organizer of the BruCON security conference.

BsidesAth Speaker

Talk #4

Electryone: in the land with no sun

by Vangelis Stykas, @evstykas

Abstract: During this talk, we will see that many photovoltaic (PV) inverters suffer from typical rush to market problems that can introduce weaknesses and potentially allow a remote attacker to fully control or brick them. Targeting an installer cloud means that a successful attack would give elevated access to the inverters , including functions not accessible to PV’s owners. In this talk we are going to review how attacking a PV installer cloud could lead to taking hundreds of thousands of inverters offline and introduce instability into countries’ power grids. All attacks are remotely exploitable and a result of logic flaws introduced by the web portals’ developers. Those logic flaws vary from simple Insecure Direct Object References (IDORs) to self-promoting your user to platform admin.

Bio: Vangelis began as a developer from Greece. Six years ago he realized that only his dog didn’t have an API, so he decided to steer his focus towards security. That led him to pursue a PhD in Web Application Security with an extra focus on machine learning. He’s still actively pursuing it. He currently applies his skills as a Chief Technology Officer at Tremau and during his free time Vangelis is helping start-ups secure themselves on the internet and get a leg up in security terms. His love of a simplistic approach to hacking by exploiting vulnerable APIs led him to publish research regarding API controlling ships, smart locks, IP cameras, car alarms, EV chargers and many other IoT devices. Since our lives are nowadays extremely cyber dependent, his goal is to convince all companies to never neglect their API security as rush-to-market mentality is almost certain to lead to catastrophic security failure.

BsidesAth Speaker
BsidesAth Speaker
BsidesAth Speaker
BsidesAth Speaker
BsidesAth Speaker

Talk #5

Panel Discussion - Inclusivity in Cyber Security

by Christina Skouloudi, Christina Kapi, Konstantinos Moulinos, Joana Basa, Georgios Diavolitsis

Christina Skouloudi -
Bio: -
Christina Kapi - Head of Risk & Information Security Officer
Bio: Christina Kapi holds the role of Head of Risk & Information Security Officer at Cosmote Payments. She has extensive experience in the areas of information security governance, risk management and IT systems audit. She has worked in consulting & audit firms, as well as the telecom industry, leading a long track of engagements in Greece, Europe, and UAE. She holds an MSc in Digital Systems Security and professional security certifications, such CISA, CISM and ISO 27001 Lead Auditor.
Konstantinos Moulinos - Expert in Network & Information Security
Bio: Moulinos is a cyber security expert. He has worked for more than 10 years as an information systems auditor for the Greek DPA and since 2012 he is working for ENISA as an expert in the area of critical information infrastructure protection. Moulinos has been awarded a diploma in informatics, a master of science in information systems and a Ph.D. in privacy enhancing technologies. He has served cybersecurity from various posts: as an auditor, as a scientist, as a researcher involved in various cybersecurity projects, as an advisor participating in various technical committees and last but not least as a guest speaker at several seminars, public discussions and lectures.
Ioana Basa - Project Leader at Just One - Headhunting & HR Agency
Bio: Ioanna Bassa is a Project Leader at Just One which is a Headhunting & HR Agency. Holds an MBA in Human Resources and a BA in Psychology from Cardiff University. She has experience in human resource development and talent acquisition and management. In her short professional career, she has managed to acquire a specialization in the field of cyber security undertaking the implementation of large projects with major companies in the sector in Greece and abroad.
Georgios Diavolitsis -
Bio: After being exposed to coding during my Biomedical Engineering degree, I knew that a turn to software was right for me. Out of all the possible fields of coding and IT, cybersecurity is the most fascinating. It demands a rich and ever expanding technical understanding, as well as an instinct for research, asking the right questions, and employing the right strategies. It is as much technical as it is human.

Guest Appearance: Cyber Women Warwick Initiative

BsidesAth Speaker

Talk #6

Automated Security Testing With OWASP Nettacker

by Sam Stepanyan, @securestep9

Abstract: OWASP Nettacker project (a portmanteau of “Network Attacker”) is an awesome and powerful ‘swiss-army-knife’ automated penetration testing framework fully written in Python. This talk will feature a live demo and practical usage examples of how organisations can benefit from this OWASP project

Bio: Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions in the City of London specialising in Application Security consulting, Secure Software Development Lifecycle (SDLC), developer training, source code reviews and vulnerability management. He is also a Subject Matter Expert in Web Application Firewalls (WAF) and SIEM systems. Sam holds a Master’s degree in Software Engineering and a CISSP certification.

BsidesAth Speaker

Talk #7

From chasing clouds to governing them - A cloud security journey

by Paris Zoumpouloglou, @pzubu

Abstract: There's no doubt that cloud technology offers speed, flexibility and allows rapid product development. However, increased autonomy comes at the expense of increased complexity. Soon you might find yourself with a significant attack surface consisting of misconfigured infrastructure, loose access policies and abandoned cloud resources. Two years ago we embarked on a journey to establish a cloud security governance program with the goal to set secure foundations for our rapidly expanding use of cloud infrastructure which consists of hundreds of accounts and dozens of thousands of workloads across multiple providers. In this talk I will present the approach we've taken, the lessons learned so far and things to look out for. A framework will be provided for moving from theory to action, starting with defining governance policies and building auditing, preventative and corrective mechanisms to implement them. Finally, the benefits of approaching the cloud security space with an engineering mindset will be discussed, leveraging concepts such as GitOps and event-driven automation and not forgetting the importance of building strategic partnerships within an organization.

Bio: Paris Zoumpouloglou is a security engineer at Riot Games. He started experimenting with security concepts during high school and has been involved with InfoSec as a profession and a hobby for the past 15 years. Paris started his career as a penetration tester but after a few years of breaking things he wanted to help others build more secure software and systems. A few years ago he had the idea of combining his love for video games with security and joined Riot Games where he is currently the tech lead of Product Security.

BsidesAth Speaker

Talk #8

May the DFIR Force Be With You: A Pragmatic Guide to Incident Response

by Georgios Kapoglis, @g3orgi0s

Abstract: A long time ago, in a galaxy far, far away, security incidents were a constant threat to organizations. Despite the prevalence of security incidents, many organizations lack the resources or expertise to respond effectively to these threats. In this talk, we will explore the different levels of incident response maturity and provide practical strategies for responding effectively, regardless of the size or maturity of your organization's incident response capabilities. We will begin with an overview of incident response maturity, including the different levels of maturity and the key capabilities required at each level. From there, we will delve into the different phases of incident response, including incident triage and investigation, identifying the root cause of an incident, and taking appropriate action to prevent future incidents. Whether your team is a small band of rebel fighters or a large army of Jedi knights, we will provide practical guidance on how to respond effectively to security incidents. We will discuss the importance of establishing relationships within the organization, building trust, and setting expectations with your leadership. We will also cover the role of incident response automation in improving response times and reducing the impact of security incidents. We will provide practical guidance on how to leverage automation to improve incident response capabilities and free up incident response teams to focus on high-value tasks. Attendees will leave this talk with a deep understanding of incident response maturity and practical strategies for improving their organization's incident response capabilities. So, grab your lightsabers and join us, and together we will bring balance to the Force!

Bio: Georgios is a Senior Security Engineer with extensive expertise in Security Incident Response, boasting over 7 years of experience in the InfoSec field. In 2017, Georgios shifted his focus to the DFIR (Digital Forensics and Incident Response) space, joining Yahoo Paranoids as a member of their Forensics and Incident Response team. More recently, he has taken on a role as the lead of Incident Response at Roblox. Throughout his career, Georgios has managed complex security incidents and developed various incident response strategies and plans.

BsidesAth Speaker

Talk #9

Shielding Europe: DNS4EU's Pan-European Protective DNS Service for 100 Million Users!

by A.Kyriakou, T.Vogel, @andronkyr

Abstract: DNS4EU is a secure and privacy-compliant recursive DNS resolver that provides a European alternative to public DNS resolvers operated by non-EU entities. The project is a key policy action of the EU's Cybersecurity Strategy, aiming to ensure European internet sovereignty and protect EU-based internet users from both global and local cybersecurity threats (e.g. phishing campaigns in local languages). Led by Whalebone, the consortium deploying the service consists of multiple cybersecurity experts, such as CERTs, Public/ Research institutions, Academia, private companies, and NGOs. The primary goal of the project is to safeguard the privacy and security of 100 million Internet users, with optional services such as parental control and paid premium services for corporate environments. In addition, the consortium has placed a strong emphasis on ensuring the infrastructure complies with EU data protection and privacy laws, further enhancing the trust and confidence in the service. In this presentation, we will delve into the architecture of DNS4EU and its deployment considerations. Additionally, we will discuss the steps necessary to offer state-of-the-art protection based on reliable threat intelligence and information exchange with trusted partners (e.g. CERTS), as well as, explore options for community contribution and implementation activities that can pave the way for community ownership of the service. More information on the DNS4EU project can be found at: https://www.whalebone.io/dns4eu and https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/topic-details/cef-dig-2021-cloud-dns-works

Bio: Andronikos Kyriakou: Andronikos is the Technical Consulting Lead at Whalebone, a digital life protection company. In the past four years, he has worked closely with more than two dozen EMEA Telecom Operators to design, implement and launch consumer-focused DNS-based Cybersecurity, and Identity Protection solutions. Prior to joining Whalebone, Andronikos was a member of SCYTALE Group and presented his research on Automated Deployment of Honeypots at BSides Athens 2018.

Tomas Vogel: Tomas is a Threat Intelligence analyst at Whalebone, researching emerging threats and developing systems for detection of malicious domains for Whalebone's protective DNS. Before joining Whalebone, Tomas worked for 3 years as a Security analyst and Incident responder at GovCERT.CZ of National Cyber and Information Security Agency, dealing with incidents at government entities and critical infrastructure systems.

BsidesAth Speaker

Talk #10

Don't Be The Catcher On The Javelin Team

by Dave Lewis, @gattaca

Abstract: We often concern ourselves with security when an incident has taken place. It may be in our own enterprise or in another company in a similar market space. We tend to focus on the issue once something bad has happened. We add a home alarm system after there has been a break-in for example. There is a visceral reaction. Much in the same vein as when a criminal breaches our computer systems. We feel violated as a result. When we look at the healthcare profession they treat the symptoms of an illness. There needs to be more attention paid to the choices that led there. As with security, we need to look at the strategic aspects. The same can be true when we look at the enterprise level. With rising cyberattacks, organizations need to ensure robust security measures. Zero trust eliminates trust assumptions and verifies identity/trustworthiness before granting access. Security resilience involves having a coherent plan to respond to incidents and minimize their impact. This talk explores these concepts and the importance of implementing them to defend against hackers. Key considerations and best practices for security professionals will also be discussed to enhance security resilience and implement a zero-trust architecture and how security intelligence can better protect organizations.

Bio: Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. Dave is a Global Advisory CISO for Cisco. He is the founder of the security site Liquidmatrix Security Digest & podcast as well as the host of DuoTV and the Plaintext podcast. He is currently a member of the board of directors for BSides Las Vegas. Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto conference. Dave has been a DEF CON speaker operations goon for over 10 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference and the CFP review board for 44CON. He is currently working towards his graduate degree at Harvard. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig, and others. For fun, he is a curator of small mammals (his kids) plays bass guitar, grills, and is part owner of a whisky distillery as well as a soccer team.

BsidesAth Speaker

Talk #11

Threat Modeling in 600 seconds or less (ok, I lied, more like 1,200)

by Kat Fitzgerald, @rnbwkat

Abstract: Threat Modeling in only 10 minutes? I’m in!! Oh wait, it’s really 20 minutes? Yes, Threat Modeling is both FUN and EXCITING and can shave tons of time off SDLC - if done right. So let’s get down and dirty and see what it takes to do a good Threat Model!! Threat Modeling is an art, are you an artist? You can be. Simply put, it is all about understanding what your project might possess that bad actors might want and how they might come after those valuable assets. There are several methodologies and approaches and many will tell you “Real Threat Modeling can take months”. Meh - it doesn’t really have to be that way. K.I.S.S. is real, let’s make it work here! But what is Threat Modeling? Take a seat, and I'll show you!

Bio: Based in Chicago and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Chicago area.

BsidesAth Speaker

Talk #12

Anti-Virus Evasion through BadUSB

by Cristian Cornea, @Twitter

Abstract: During this presentation, we will take a look over how we can bypass most Anti-Virus detection using a payload embedded on a BadUSB device, resulting in a silver bullet for gaining initial access inside a victim network. Demo will be also included during the presentation. Agenda:
- AMSI Bypass Development
- Execution Policy Bypass
- Payload Runner Development
- Deploying Attack using BadUSB
- Post-Exploitation Persistence
- Prevention

Bio: Founder @ Zerotak Security | President @ Romanian Cyber Security Training Centre of Excellence | Scheme Committee Member @ EC-Council CEH | Speaker at multiple conferences. LinkedIn - https://linkedin.com/in/cristian-cornea-b37005178

BsidesAth Speaker

Talk #13

Mitigating SSRF Vulnerabilities in Go: A Practical Guide

by Marcin Niemiec, @xvnpw

Abstract: In this talk, I’ll expose the dangers of SSRF in Go and demonstrate how easy it is for developers to introduce this vulnerability. I’ll also show how to protect against it using positive validation and libraries like safeurl. Live coding and exploitation of a simple service will be included.

Bio: Marcin is security researcher, bug bounty hunter and appsec engineer.

BsidesAth Speaker

Talk #14

Responding to Lapsus$ Style Smshing Attack, or How to Out an Actor!

by Thomas Fischer, @fvt

Abstract: It's memorial weekend 2022, users start reporting strange texts asking them to connect or loose their vpn access. We triggered our response process and things got serious after 2 users informed us they had clicked on the link. 5.days later they came back but this time we were more prepared. Working with our logs, slack and our game data, we were able to identify exactly what the actor targeted and that they were players of our games. This was a Lapsus$ style attack with the actor ending up focusing on our Slack instance and the bots that we use. During the lessons learnt, we will show how by using the extended Slack logs how we identified exactly what the actions the actor carried out. GroupeIB in July revealed this as the Oktapus group. In this talk, we will build a timeline of the attack and our response. We will also review some lessons learnt.

Bio: Thomas has over 35 years of experience in the IT industry ranging from software development to infrastructure & network operations and architecture to settle in information security. He has an extensive security background covering roles from incident responder to security architect at fortune 500 companies, vendors and consulting organisations. While currently focused on SecOps at a gaming company, Thomas continues as a security advocate and threat researcher focused on understanding data protection activities against malicious parties and continuous improvement in the incident response process. Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, and regular shares at events like SANS DFIR EMEA, DeepSec, Shmoocon, ISSA, and various BSides events.

BsidesAth Speaker

Talk #15

It’s not a bug it’s emergent behaviour - Generative AI, it’s cybersecurity risks and benefits

by Sherif Mansour, @Kerberosmansour

Abstract: A curated talk on generative AI, where we will present our research findings beginning with an overview of the technology, then discuss its current technical risks, and explore its promising security use cases without making grand claims. Additionally, we will dive into design considerations when developing web applications utilising generative AI. To conclude, we will introduce open-source software announced during the talk, encouraging attendees to use and investigate them at their own discretion.

Bio: Sherif Mansour is the global director of information security at JustEat Takeaway.com and has been working in the field of information security for 19 years. He was the OWASP chairman and sat on of the OWASP foundations' board for four years. He was also one of the founding governing board members for the OpenSSF Foundation which he represented the OWASP Foundation. Sherif contributed to several OWASP projects and was one the main authors of the CIS Benchmark for Tomcat 7/8. As a security researcher he has disclosed vulnerabilities in Microsoft, Oracle, SAP and SiteSpect products.

BsidesAth Speaker
BsidesAth Speaker

Talk #16

Defending AppSec: From Mass Scanning Low Hanging Fruit to Digging for Critical Bugs

by Ethan Crane, @bonsaiboi268, by Viktor Markopoulos, @vict0ni

Abstract: Security of applications remains a common and effective method for attackers to exploit systems and gain access to data. Our talk will cover common weakness in the Application Development lifecycle that are harder to detect with automated testing. Vulnerabilities in Business and Application logic will be considered as well as the dangers of front-end verification and authorization. Real-world examples will be given from findings we’ve seen during our assessments. We will then delve deeper into solutions to these issues and attempt to balance end user ease of use with security best practices. Additionally, since mass scanning allows us to uncover vulnerabilities and pitfalls in web applications in a broad scope by using tools and automation, it can help us quickly identify low (and not-so-low) hanging fruits and exploit them. By leveraging techniques commonly used by the bug bounty community, we can better detect and defend against common application security errors.

Bio: Viktor is an information security consultant for Bitcrack Cyber Security in South Africa and living in Athens. His interests are web application and API pentesting, and bug bounty hunting in his spare time. He also co-manages an online cybersecurity community for beginners up to experienced hackers, 0x00sec.

Ethan is an information security consultant at Bitcrack Cyber Security in South Africa. He has a keen interest in mobile and web application hacking and finding vulnerabilities in production systems. His primary focus is on high-value transactional systems. He also enjoys password cracking and finding new ways to approach the cracking of passwords.

BsidesAth Speaker

Talk #17

How to Deal with Millions of Application Vulnerabilities?

by B. Aksaray, A. Akan, @Twitter

Abstract: We have been working at the biggest e-commerce company in Turkey as a sr application security engineer for 2 years. During this time, we have gained experience in how to deal with 20k+ repositories, 15k+ micro services and millions of vulnerabilities. Would you like to know how?

Bio: We are Ahmet and Berkay. We have 7 years experience in application security. We have been working at the biggest e-commerce company in Turkey as a senior application security engineer for 2 years. During this time, As an application security team, have gained experience in how to deal with 20k+ repositories and 15k+ microservices security . We divided our management topics into three categories called finding of vulnerabilities, announcement of vulnerabilities and partnerships. First step in our finding of vulnerabilities approach is to prepare a CI/CD pipeline to scan our source codes, dependencies, secrets, Infrastructure as code, mobile packages and container images with enterprise and open source tools. After that we activated the pipeline, we have been facing millions of vulnerabilities. For managing these vulnerabilities, we integrated a vulnerability orchestration tool. We also perform manual source code analysis tests on many critical points. As a result of manual tests, we found that there are many vulnerabilities that are not found in automatic tests. To find these vulnerabilities in automated tests, we updated our automated processes by writing new rules in our enterprise and open source tools. We have provided detailed explanations of all vulnerabilities, reference links and solution methods to be added automatically within the orchestration tool. Our expectation was that the developers examine their vulnerabilities and take their own actions. In this scenario, we had only checked the vulnerabilities that changed status. Although this plan was very logical in theory, the developers’ use of the tool’s time and taking the necessary actions were far below the data we expected. In order to pay attention to important vulnerability data, we developed the “Pipeline to Internal Communication Tools via DM” tool to send the current vulnerability numbers and link to the person who triggered the pipeline via direct message. We also developed another tool called “Vulnerability Reporter” to send the vulnerabilities and track their solving time which was approved by the application security engineer to the channels opened for each team. Understanding and analyzing business is very important and difficult in such a large business. To make this challenge easier, we decided to start the process we call partnership. By matching each security engineer with two or three teams, we aimed to better understand the business within these teams. It also had effects such as better communications and better process management. So that each new feature developed in-house can have two labels in terms of application security. One for those who need manual testing and another for automated testing. To make it automatic we developed another tool called “partnership-automation”. When a task added a new status on Jira, where the software process is managed, and added the current vulnerability data to each relevant task’s comments that come here. We have many more services and processes that we manage like creating Secure Base Image to mitigate vulnerabilities from container image,Secret Management system to find secrets and analyze production usage, S-SDK to make second protection for potential vulnerabilities in our projects, training for developers etc. At this point, where we brought all these processes from zero, we would like to explain the problems we experience in our presentation by exemplifying real life scenarios. We believe that the people who will listen to our presentation can create similar processes more smoothly by sharing our experiences.

BsidesAth Speaker

Talk #18

Building Secure React Applications

by Jim Manico, @manicode

Abstract: Cross-Site Scripting (or client-side JavaScript injection) and other client-side risks, such as leaking privileged links, data, or business logic, are well-known technical challenges that web application developers have faced for many years. While frameworks like ReactJS provide some automatic defenses to stop Cross Site Scripting, ReactJS developers still require specialized knowledge to build secure ReactJS applications. This presentation will review some of the necessary general-purpose Cross Site Scripting and other client-side defense recommendations in ReactJS. Any ReactJS developer will benefit from the techniques described in this talk! We will be discussing the following topics and more:
* React component attack surface
* Unescaped props and types
* dangerouslySetInnerHTML
* JavaScript URL's and React
* CSS styled-components and React
* JSON embedding and React
* React automatic defenses
* React manual defense techniques
* React Lazy Loading and Access Control
* React template injection
* Server-side rendering in React

Bio: Im Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also an investor/advisor for 10Security, Aiya, MergeBase, Nucleus Security, KSOC, and Inspectiv. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "e;Iron-Clad Java: Building Secure Web Applications"e; from Oracle Press. Jim also volunteers for the OWASP foundation as the project lead for the OWASP Application Security Verification Standard and the OWASP Cheatsheet Series. For more information, see https://www.linkedin.com/in/jmanico.

BsidesAth Speaker

Talk #19

Securing Small Organizations. Doing More With Less.

by Julian Botham, Pavle Bozalo, @Twitter

Abstract: As small organizations face the escalating challenges of cyber threats, it is essential to prioritize their security posture to safeguard sensitive data, assets, and reputation. This presentation will provide an insightful overview of the unique cybersecurity challenges faced by small organizations and outline tailored strategies to enhance their defenses. We will examine the risks posed by inadequate security measures and explore cost-effective, scalable solutions for mitigating potential threats. Key topics include the identification of common vulnerabilities, the importance of fostering a security-conscious culture, and the implementation of foundational cybersecurity best practices. We will also discuss the role of employee training, third-party risk management, and incident response planning in creating a resilient security framework. By equipping small organizations with practical guidance and actionable recommendations, our presentation aims to empower them to proactively address cybersecurity challenges and foster sustainable growth in an increasingly interconnected world.

Bio: Julian is an experienced penetration tester with a knack for finding and exploiting security vulnerabilities. With a background in cybersecurity, his expertise and enthusiasm has enabled him to effectively execute a range of tests for businesses across a multitude of industries. Dedicated to staying on top of the evolving cybersecurity industry, Julian is also proficient in risk management, incident response, and threat risk assessments. He’s a team player who is always eager to take on any project, no matter how difficult. Julian is an expert in his field, and his expertise has been invaluable in helping clients safeguard their businesses against malicious attacks.


BsidesAth Speaker

Talk #20

UFOSINT: Open Source Intelligence and Unidentified Aerial Phenomena

by Isaac Basque-Rice, @IBRice101

Abstract: UFOs, or more accurately UAPs (Unidentified Aerial Phenomena) have been a hot topic of conversation for many years now. In the popular imagination this kind of thing is normally reserved for conspiracy theorists and "e;documentaries"e; on the History channel, however in recent years they have become the topic of much serious discussion amongst scientists and various military organisations around the world. In this talk I'll go over some of the OSINT techniques used to debunk UFO conspiracies, going through case studies of UFO sightings, as well as outlining some of the cases for which there is no conclusive explanation one way or the other (probably not aliens though).

Bio: I'm a recent graduate from Abertay's Ethical Hacking degree in Dundee, Scotland. I have interests in Threat Intelligence, Reverse Engineering, IoT technologies, and, of course, OSINT.

BsidesAth Speaker
BsidesAth Speaker

Talk #21

E-commerce Company: How to Manage DevSecOps?

by Kürşat Oğuzhan Akıncı, Talha Karakumru, @KOAkinci

Abstract: In this presentation, we will discuss how e-commerce companies can approach DevSecOps management. DevSecOps is the process of software development, security, and operations teams working together to produce and manage software. E-commerce companies carry a serious security risk due to the sensitivity of customer data. Therefore, the DevSecOps approach is important in terms of application security. E-commerce companies can make their applications more secure by being part of the DevSecOps process. The DevSecOps approach helps to detect security vulnerabilities early in the software development process. Security processes such as security testing, penetration testing, and code analysis are automated in the DevSecOps process, increasing the security of applications. The DevSecOps process integrates security processes into the software development process. Thus, application security becomes part of the development process and is controlled until the final stage of the software. This approach helps to quickly detect and fix security vulnerabilities. DevSecOps is an important approach for e-commerce companies to increase application security. This approach helps to manage applications more securely by working together with software development, security, and operations teams. In conclusion, adopting the DevSecOps approach is important for e-commerce companies in terms of application security. This presentation aims to present the best practices for implementing the DevSecOps process and raise awareness among companies in this regard.

Bio: As an Application Security Team Lead, my responsibilities have included managing a team of security professionals, providing leadership and guidance, and overseeing the planning, design, and execution of security assessments and remediation activities. I have also been responsible for developing and implementing security policies, standards, and procedures to ensure compliance with industry regulations and best practices. In my past roles as a Penetration Tester, Security Researcher, and Cyber Security Consultant, I have conducted a variety of security assessments, including web and mobile application penetration testing, network and database penetration testing, wireless penetration testing, and source code security analysis. I have also conducted risk assessments, developed incident response plans, and provided security training and awareness programs for employees. Additionally, I have mentored and trained junior security professionals and assisted with employment interviewing and recruiting. As a lecturer at various universities, I have developed and taught courses on a range of security topics, including penetration testing, security audit, cyber threat intelligence, digital forensics, and social engineering.

Talha Karakumru, has been working as an application security engineer at Trendyol Group, Turkey's leading e-commerce company backed by the Alibaba Group. With a background in software engineering and development, he has gained extensive experience in the field of cybersecurity. Prior to his current position, he worked as a penetration tester, conducting over hundered security test projects for diverse companies and institutions across Turkey, the USA, Qatar, Azerbaijan, and more. His expertise spans DevSecOps, application security, container and cloud security, penetration testing and red teaming.

BsidesAth Speaker

WorkShop 1

Social Engineering: The Dangerous Bridge from Cyber World to Your physical World

by Christopher Salgado, @Twitter

Abstract: Given the continued escalating number of social engineering incidents in 2022, 2023 will, no doubt, solidify itself as the successful relay of this dangerous trend. Although many industry reports omit or belittle social engineering’s role in a cyberattack, it remains the precursor to the inevitable cyberattack, greatly heightening your potential experience as a victim to bad actors. Most concerning is that social engineering can infiltrate your real world, possibly promoting any engagement to real-world harm. We must understand exactly what social engineering is, identify it, train against it, mitigate any occurrences or possibly prevent some. Social engineering is the nexus between the cyber world and the physical world. Given that social engineering is reported to occur in more than 95% of successful cyberattacks, we must begin to reshape 2023 to our advantage on this topic or we will suffer a recycled fate from the prior years.
1. Understand the context of social engineering, both the simplicity and the complications that it can offer.
2. Learn how social engineering is a double-edged sword and a precursor to an inevitable cyberattack.
3. Identify how you can identify social engineering and possibly prevent yourself from becoming victimized or mitigate any occurrences of victimization.

Bio: Christopher Salgado is a highly accomplished and trusted security and investigations leader with more than 20 years in cyber and physical investigations. He has assisted several Fortune-based corporations through innovative and efficient processes. Salgado was instrumental in the buildout of Facebook’s global investigations division. Salgado also assisted in standing up Facebook’s global, 24/7/365 Investigations Center. Salgado has presented on various topics across the globe to Fortune-listed companies, the FBI, Homeland Security Investigations, Customs and Border Protection, ICE, DEA, TSA, ASIS, members of Interpol and Europol as well as members of the EU Commission. He was a keynote speaker at CrimeCon 2022, speaking on romance scams. Salgado is Founder of AGGOSO™ (AGGressive Open Source intelligence Operations) Training, a comprehensive training program for those desiring to upskill their OSINT/cyber investigative skillset. Salgado is CEO of All Points Investigations, LLC; an author at PI Magazine and a member of the London Speaker Bureau.

BsidesAth Speaker

WorkShop 2

How to break the Modbus protocol and cause a PLC DoS

by Omar Morando, @Twitter

Abstract: How secure is an industrial system? And how difficult is it to be able to attack him? These are some of the questions I will try to answer in this talk. I will explain how to attack an OT system composed of PLC and SCADA by exploiting the vulnerabilities of the Modbus protocol, until generating a DoS of the control PLC. Physically I will have a simulator of a plant, a PLC and an HMI system: the demo consists in showing how with Python scripts it is possible to carry out a Man-in-the-Middle attack, data dumping, flooding attack on the plant and DoS of the PLC. All done live.

Bio: I'm a consultant that provides offensive security assessments & penetration testing services for a variety of industries. I've 20+ years of experience in OT/ICS Industrial Automation domain (SCADA, PLC, remote I/O, fieldbus) with expertise in ISA/IEC 62443 and in Automotive with ISO/SAE 21434 standards. I'm the Head of OT Cybersecurity & Innovation Lab at Sababa Security, with focus on the ICS, Automotive and Industrial IoT sectors. I am responsible for the Innovation Lab, a strategic asset with the aim of defining the development of new products and cyber emerging technologies. I am a trainer and speaker at security conferences/trainer, such as University of Genova, SUPSI (Switzerland), HackInBo, BSidesRoma, CSET on company technologies and offensive security techniques in the OT domain.

BsidesAth Speaker

WorkShop 3

Practical Password Cracking

by Dimitri Fousekis, @rurapenthe0

Abstract: Cracking passwords is commonplace for today's information security professionals. If you need to crack passwords for audit purposes, red-team assessments, or simply to assess and defend your own systems – you will gain a deeper understanding of what various common hashing algorithms are, and how to effectively crack passwords using those hashing algorithms. The workshop is designed to cover the basics of password cracking and then to show you more advanced techniques that will allow you to grow your skills and password cracking effectiveness. We will cover various topics from wordlists, to using tools, to cracking non-standard languages and even passwords with emojis. This workshop will give you a strong baseline to get you started in your password cracking experience.

Bio: Dimitri has been in the cyber security industry for over 18 years, and is the CTO of Bitcrack Cyber Security. Having enjoyed many years of Passwords, and password related talks, he is branching out to cover another one of his passions: Ways to exfiltrate data. Dimitri has spoken at BSides in a few countries as well as PasswordsCon and other conferences.

Ethan is an information security consultant at Bitcrack Cyber Security in South Africa. He has a keen interest in mobile and web application hacking and finding vulnerabilities in production systems. His primary focus is on high-value transactional systems. He also enjoys password cracking and finding new ways to approach the cracking of passwords.

BsidesAth Speaker

WorkShop 4

What is eBPF and Why Should You Care!

by Kev Sheldrake, @kevsecurity

Abstract: eBPF is relatively new and “a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel.” You can achieve similar results to writing a kernel module, but in a (supposedly – we’ll come to that) safe manner. eBPF code runs in a virtual machine and, depending on the program type, can access all sorts of kernel internals, with programs being launched when specified code points get hit. I will talk about the basics and how to get up and running, the challenges and pitfalls to overcome, a library I wrote when working at Sysinternals to take away some of the pain, the Sysmon For Linux tool I wrote for Sysinternals that logs events to Syslog, and Cilium/Tetragon (and Cilium/ebpf library) that makes accessing eBPF for system observability easier. I will discuss technical details and explain the different use cases that might benefit you, from blue team using Sysmon and Cilium/Tetragon to achieve super powerful abilities, to researchers building custom program tracers, to red team exploiting kernel vulns, to sysadmins seeking performance issues.

Bio: Kev Sheldrake is a security software engineer and researcher who started working in the technical security field in 1997. Over the years, Kev has been a developer and systems administrator of ‘secure’ systems, an infosec policy consultant, a penetration tester, a reverse engineer and an entrepreneur who founded and ran his own security consulting company. He currently works at Isovalent on the open source and enterprise versions of the system observability tool Tetragon, and in the past he specialised in IoT, crypto, and tool development for a number of years.