Mini Battle Bots!

Interested in seeing how industrial control systems work and how secure they are? The ICS Village run by the University of Bristol's Cyber Security Group includes live demos of various attacks against ICS devices using our mobile demonstration units.

Hello and Welcome!

Hack hardware, hack software, hack social situations, hack careers, hack gender, hack biology, hack society, hack the planet, hack everything!

Keynote/Opening Speech

GEOINT is a component of OSINT where a physical location is discovered from clues in media, from still photographs to videos and even sound. The practice requires a selection of skills and knowledge about resources which may be as diverse as power grids, architecture and physics. A successful identification of a location may seem to be almost magical and, at the same time, scary.

Thought experiments are used in many disciplines - from theoretical physics and biology to linguistics and law - to question assumptions and generate new theories. Perhaps most prominently, they are a critical tool in philosophy, where their usage goes back thousands of years to Socrates and Plato. The insights and knowledge that rigorous, carefully considered thought experiments provide have completely revolutionized thinking in various fields. And yet, in cyber security, we haven’t made much use of them at all, and certainly not in any organized or formalized manner. This talk is an attempt to begin changing that.

In this session, I’ll provide a primer on thought experiments, covering their definitions, types, features, construction, usage, and outputs. I’ll examine some examples, discuss the drawbacks, and explore some unconventional forms which use different formats and ways of thinking.

I’ll then move on to argue a case for using thought experiments more widely in cyber security. I’ll start by focusing on how thought experiments differ from similar activities in security – such as tabletop exercises and ‘thinking like an attacker’ – and suggest several related areas in which thought experiments have proven useful previously, such as AI and cryptography, with examples.

Next, I’ll outline why we need more thought experiments in cyber security, identifying several areas in which they could be used to question common assumptions and theories, and I’ll present some thought experiments I’ve created in these areas, which I’ll invite attendees to use and build on as a starting point for further discussion and exploration.

I’ll then share a guide for creating thought experiments, as a first step towards encouraging their wider design and use in the field of security, and finish by calling for collaboration and cooperation to continue this.

An introduction on how to build robots. For complete beginners.

Fake survey sites, dating scams, shell companies, and Chinese threat actors - oh my! A walkthrough of Fangxiao, a phishing threat actor, covering their TTPs, IOCs, and how we attributed their activities.

Dr Jennings presents a session on how to identify 'experts' using false credentials and accomplishments to establish their reputation.

During this talk, we will see that many photovoltaic (PV) inverters suffer from typical "rush to market" problems that can introduce weaknesses and potentially allow a remote attacker to fully control or brick them.

Dependency modelling (DM) is a standardised approach proposed by the Open standard Institute as a methodology to manage risk and build trust between inter-dependent enterprises . This approach aligns with the National Cyber Security Centre (NCSC)’s advocacy of system-driven risk analysis. measures risk as the degree of uncertainty - uncertainty that a system will be at a required (desired) state. DM is expressed as the probability of achieving the desired state of a goal and how it is impacted by things beyond the control, predictability or understanding of the system/process owner. These probabilities of events (nodes) change when the probabilities of some other events change. However, there exist limitations in the current expressions of DM that hinder its complete adaptation for risk identification in a complex environment such as ICS. This research investigates how the capability of DM could be extended to address the identified limitations and proposes additional variables to address phenomena that are unique to ICS environments. The proposed extension is built into a system-driven, ICS dependency modeller, and we present an illustrative example using a scenario of a generic ICS environment. We reflect that the proposed technique supports an improvement in the initial user data input in the identification of areas of risk at the enterprise, business process, and technology levels.

Nowadays, many educational providers worldwide have started teaching cyber security courses for school students due to rising interest from students. As a result, cyber security developer programs need help building a competent cyber security curriculum that is relevant and nurturing student performance throughout their leading journey.
In addition, teachers at the secondary school level need more recent and up-to-date experience and need more relevant resources.
Consequently, It is crucial to address how cyber security will be delivered within the curriculum to secondary schools. This paper analyses different computer science curricula in eight countries and the extra curriculum worldwide.
The analysis estimates that in many countries, cyber security educated was addressed inconsistently, embedded in various curriculum content areas. The existing curricula could have offered more support for teachers to educate the nature, aims, and pedagogical identifications of
Cyber security. Comparing the curricula raised some critical challenges faced by cyber security in secondary school. These challenges are discussed in the paper alongside the proposed way of addressing them.

Even as our ability to counter cyber attacks improves, it is inevitable that threat actors may compromise a system through either exploited vulnerabilities and/or user error. It is therefore important to understand the factors which influence trust and blame in a self-driving car following a successful cyber attack.

Given the scale expansion of the Internet of Things, the design of an Intrusion Detection System (IDS) is critical to protect the future network infrastructure from intrusions. Traditional IDS base their operations on Machine Learning (ML) models trained centrally in the cloud and then distributed across multiple end devices. However, this centralised approach often suffers from network overhead and high latency, thereby resulting in slow detection of malicious traffic and unresponsiveness to attacks in the worst case. The specific characteristics of large-scale IoT systems bring new design challenges that need to be carefully considered. This paper provides a comprehensive review of current IDS for IoT systems to shed light on these issues, focusing on the types of deployment architecture. We show how traditional practices are unsuitable for large-scale IoT systems due to their inherent characteristics. The current research for IoT intrusion detection will need to move in a different direction to develop an optimised solution for these types of networks.

Lunch - click for menu.

Incorrectly assessing digital information has many repercussions for users: from downloading malicious code in open-source software repositories, to becoming a victim of misinformation. Study 1 was a systematic review (N = 63 studies) of the digital symbols and signals that communicate trust when assessing digital information. The results suggested trust signals and symbols were grouped into three themes of social proof, verification to reduce variance of risk, and expectancy violation theory. Study 2 (N = 20 participants) was a thematic analysis exploring whether expertise influences the use of trust signals and symbols in open-source software libraries. Results indicated that differences exist between expert and lay users when utilising trust cues to assess digital information. The implications for these studies are that ways in which people use trust cues create vulnerabilities for malicious actors to exploit through a range of possibilities. Researching which digital trust signals and symbols are utilised by users (when assessing the trustworthiness of digital information) may help to inform how to mitigate said vulnerabilities.

It seems simple enough... or at least till you start scaling. Take a dive through the wonderful world of the vulnerability management extravaganza and some examples I've faced when trying to make sense of the data soup.

lunch - click for menu

Extract, reverse, and exploit Android applications.

Come to this workshop if you're new to offensive security, want to develop your skills in reverse engineering, or if you're interested in Android application internals. During the four hours we'll dive into:
- The fundamentals of the Java programming language
- How Android applications are developed
- How to reverse Android application's and identify common security misconfigurations
- How to patch and dynamically instrument Android applications for security testing

This talk provides an insight into Team Cymru's tracking of IcedID over the past 24 months, following its transition from banking trojan to all-round loader malware. We will demonstrate how we identify potential bot and loader C2 infrastructure through our network telemetry data, and provide confirmation of these findings through config extraction.

Using analytical techniques to build a high fidelity escalator up the pyramid of pain

Have you always wanted to know what type of decisions are required for a Social Engineering engagement but never get the opportunity to find out? Well look no further!
The Office of Danger: A Choose Your Own Adventure Story lets the audience make real world decisions on a social engineering engagement.
Will you be able to bypass security and reach your target? Or will your choices get your caught as soon as you enter?
The choice is in your hands!

Initial discovery was from a Discord message; Some people were talking about having access to a Polar Orbit Satellite due to it not having any authentication. We knew this was a risk in the wrong hands. We decided to research the Web Application shortly after, we were able to get a shell and escalate our privileges. While on the system we managed to identify privilege escalation vectors while also performing source code analysis where we found further command injection vulnerabilities. To ensure other hackers do not kill our shell and patch the bug to perform malicious activities, we created a backup shell for president access!

In 2022, Mandiant identified spear-phishing activity targeting government entities, diplomatic missions, and international organizations in Europe and North America. The threat actors were using a variety of techniques and newly identified malware families that ultimately lead to disseminating BEACON malware payloads.

The extensive email phishing operations were performing covert cyber espionage, using CobaltStrike BEACON implant, which Mandiant publicly exposed in the blog “Trello From the Other Side: Tracking APT29 Phishing Campaigns” and attributed these campaigns to APT29; a Russian-nexus threat actor that’s also been attributed to the SolarWinds supply chain intrusions.

In this talk, Mathias will provide:
- A deeper overview of the various novel phishing campaigns they’ve observed since February 2021
- Any changes in APT29 phishing campaigns since the publication of findings in April 2022
- Showcase the malware utilized to gain a foothold into a victim's network.
- Provide recommendations for defenders to mitigate risks

Agenda for the presentation:
- AMSI Bypass Development
- Execution Policy Bypass
- Payload Runner Development
- Deploying Attack using BadUSB
- Post-Exploitation Persistence
- DEMO
- Prevention

The pathway to initial access in 2023 is far from an easy one. This talk will lift the lid on all the recent TTPs we have been using to gain access, giving you techniques you can implement in your own assessment. But what about defence? For all you blue teamers out there, we will show you how to prevent all the attacks we discuss! Sit back and enjoy all the fun!

EVSE Ecosystems & Connected Vehicle Privacy

Most process injection techniques typically involve creating remote threads within the target process. This often exposes opportunities for EDR detection engines to pick up the malicious activity. This talk will cover some of the existing methods used today followed by a novel technique that can inject and execute code into a remote process without some of these common indicators.

Thanks and details of the afterparty