08:30

Registration and venue opening

09:00

Hello and welcome

09:20

KEYNOTE: Of Unicorns and Replicants

Steve Lord
This talk provides attendees that cushion by demonstrating that we’ve been here before with other technologies. Yet we fail to remember the times this exact situation has happened before, and pretend it won’t happen again. You might think that precarious funding and fly-by-night IoT companies make this situation different, but it’s really not. It’s too bad most IoT startups won’t live, but then again, who does? When it comes to myths about IoT security I have only one thing to say, “Wake up. Time to die.”

10:20

Don’t Get Caught Em-bed

Aaron Guzman
It’s no secret that embedded systems surround and control our daily lives. Embedded device and system manufactures have long prioritized code quality and/or user experience over application security. As devices become more interconnected to each other, it is becoming apparent that change is needed throughout the industry. Utilizing millions of vulnerable embedded devices, we have witnessed some of the worlds largest DDoS attacks in 2016 as a result of neglecting fundamental secure coding principles. Join me as we discuss common embedded application security threats, employing proactive controls, and best practices.

11:20

How to convince a malware to avoid us

Csaba Fitzl
Malware authors try to hide from malware analysts or security researchers with plenty of techniques. They can seriously make it hard to analyze their code or simply run the malware on automated tools for mass scale analysis. People are developing more and more tools, ideas about how to overcome all of these challenges. However there has been very little public research about how we could utilize this against the malware itself for our benefits.

12:30

LUNCH

13:30

Internet of Scientific Curiosity

Emma Lilliestam
I will talk about the Medical IoT and its unique set of problems. There are obvious and often life improving and life saving gains to be made, traded for the control of our most intimate privacy data. I present my experiments with biohacking – sensors that measure different aspects of my body, as well as my wishlist for future, both when it comes to sensors and to regulation.

14:30

DNS hijacking using cloud providers

Frans Rosén
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.

15:20

COFFEE BREAK

15:45

When the Walls Fell

Dave Lewis
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise. In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong.

16:45

Automated malware analysis on the whole Swedish web

Ulf Lundin
Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise. The SWEMAL software visits all domains on the Swedish web and examines the HTML/JS code for malware like redirect gateways and URL patterns related to exploit kits. The talk will cover how to retrieve and shorten the URL list, how the main program works, lessons learned during the project, and how the results were verified.

17:10

Reverse engineering with determination

Calle Svensson
This lightning talk is a sample of war stories from the fields (or playgrounds) of picking apart and understanding systems. The targets give rise to methods ranging from unusual to plain silly and shows that with determination and some creativity, even the most strange of challenges can be mastered. It will feature reverse engineering hardware curcuits as well as compilers created for the sole purpose of messing with people foolish enough to try to reverse engineer it and possibly some strange architecture or two.

17:35

Self XSS: we’re not so different you and I

Mathias Karlsson
Self-XSS is a type of XSS defined by the fact that it only affects the currently authenticated user. Harmless at first sight, but with the right premises Self-XSS is just as dangerous as good old regular XSS.

18:00

PANEL DEBATE: Embedded Security

Jesper Larsson, Aaron Guzman, Emma Lilliestam, Dave Lewis
Panel debate allowing open talks, with a focus on embedded security.

18:45

WRAP-UP AND AWARDS (CTF)

19:00

DINNER

21:00

AFTER-PARTY!

Great after-party at the opposite side of the conference building.