This talk provides attendees that cushion by demonstrating that we’ve been here before with other technologies. Yet we fail to remember the times this exact situation has happened before, and pretend it won’t happen again. You might think that precarious funding and fly-by-night IoT companies make this situation different, but it’s really not. It’s too bad most IoT startups won’t live, but then again, who does? When it comes to myths about IoT security I have only one thing to say, “Wake up. Time to die.”
It’s no secret that embedded systems surround and control our daily lives. Embedded device and system manufactures have long prioritized code quality and/or user experience over application security. As devices become more interconnected to each other, it is becoming apparent that change is needed throughout the industry. Utilizing millions of vulnerable embedded devices, we have witnessed some of the worlds largest DDoS attacks in 2016 as a result of neglecting fundamental secure coding principles. Join me as we discuss common embedded application security threats, employing proactive controls, and best practices.
Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However there has been very little public research about how we could utilize this against the malware itself for our benefits.
I will talk about the Medical IoT and its unique set of problems. There are obvious and often life improving and life saving gains to be made, traded for the control of our most intimate privacy data. I present my experiments with biohacking – sensors that measure different aspects of my body, as well as my wishlist for future, both when it comes to sensors and to regulation.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise. In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong.
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise. The SWEMAL software visits all domains on the Swedish web and examines the HTML/JS code for malware like redirect gateways and URL patterns related to exploit kits. The talk will cover how to retrieve and shorten the URL list, how the main program works, lessons learned during the project, and how the results were verified.
This lightning talk is a sample of war stories from the fields (or playgrounds) of picking apart and understanding systems. The targets give rise to methods ranging from unusual to plain silly and shows that with determination and some creativity, even the most strange of challenges can be mastered. It will feature reverse engineering hardware curcuits as well as compilers created for the sole purpose of messing with people foolish enough to try to reverse engineer it and possibly some strange architecture or two.
Self-XSS is a type of XSS defined by the fact that it only affects the currently authenticated user. Harmless at first sight, but with the right premises Self-XSS is just as dangerous as good old regular XSS.
Jesper Larsson, Aaron Guzman, Emma Lilliestam, Dave Lewis
Panel debate allowing open talks, with a focus on embedded security.
Great after-party at the opposite side of the conference building.