BSides London 2016

Wednesday, June 8, 2016 6 months ago London, United Kingdom

MWR is pleased to announce that we are the Platinum Sponsors at BSides London 2016 and we will be hosting the MWR after party again this year!

Event Description

Launched in mid-2009, Security BSides is a community-driven event built for and by information security community members.

The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is where conversations for the next-big-thing are happening and the Security BSides London team is bringing this back to London.

The volunteers for Security BSides London were inspired by the framework of the original Security BSides event in the USA, and have worked together to bring this to the UK.

Security BSides events are free, community events organised by local individuals, with the express goal of enabling a platform for information dissemination.

Pre-Event Challenge Overview:

Foil Max Pwnage

We believe evil genius Max Pwnage may be planning something of great and terrible significance and it is vital we get hold of his plans! He is a known recluse and all we have to go on is this picture, but we believe he may have made an opsec fail with it. See if you can use it to find his plans for your chance to win a Yard Stick One! 

Challenge Overview:

A Boolean Argument

You'll have to think logically to solve this challenge to increase your chances of winning the Makeblock IR Robot Kit! You'll have to place blocks of gates in available slots in order to generate a match for sequence provided. How many can you solve in the allocated time?

Come and visit our stand to chat to us at BSides London for further details on the day! 

 

Talks presented by MWR

Topic: Bug Hunting with Static Code Analysis

Speaker: Nick Jones

Abstract:

How do we make application security assessments more efficient? Finding and fixing security issues just before a release, when testing is often done, is time consuming and expensive when compared to finding issues earlier in the development cycle. In addition, paying security consultants to find basic buffer overflows and SQL injection can be time consuming and inefficient on large codebases. This talk covers a number of automated analysis techniques for spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty bash scripts through open source and commercial analysers to custom implementations. After reviewing how these can be used as part of bug hunting and application security assessments, it then discusses how these techniques can be baked into continuous integration systems to catch bugs as early in the development cycle as possible.

 

Topic: Honeypots and Deceptive Operations: Can You Catch More Spies with Honey(pots)?

Speaker: David Chismon 

Abstract:

Detecting advanced (or just effective) attackers on internal networks is the subject of much research and marketing. Various technologies go through the cycle of being offered as solutions to this problem, from "Threat Intelligence" a few years ago to Behavioural Learning currently. Honeypots have lingered around the fringes but more honeypot products are being offered and stand a good chance of being one of the next technologies to ascend the hype curve. This talk will look at honeypots and how they work, their benefits and their failings. It will cover a number of honey things such as honey creds, honey files, honey tokens, etc. It will debate where such things may play a role in an organisation's defensive strategy and how an organisation can best implement them should they choose to. The talk will also briefly cover the wider idea where honeypots sit, that of deceptive operations whereby you attempt to deceive an attacker in order to detect or dissuade attacks.

 

Topic: LoRa the Explorer - Attacking and Defending LoRa systems

Speaker: Robert Miller

Abstract:

LoRa is a Low Powered Wide Area Network (LPWAN) solution designed to enable smart city and IoT devices to communicate securely across cities. It is being rolled out in major cities across the world and being used for everything from Industrial Control Systems, through to domestic alarm systems. This talk aims to dive into the security of LoRa and the LoRaWAN protocol, to demonstrate its limitations, and to show how developers can build secure LoRa solutions.

Workshops presented by MWR

Topic: Glitch Attacks Against Embedded Systems

Speakers: Rob Miller and Joel Clark

Abstract:

Clock glitches allow attackers to attack applications through the hardware they are running on, letting them skip instructions and introducing vulnerabilities. This workshop will cover the theory and application of clock glitching attacks.

Participants will learn where clock glitch attacks can be used, how they work, use tools to generate clock glitches, and apply them to vulnerable hardware to generate proof of concept exploits.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.