0.4 bsides-cymru-2024 2024-04-27 2024-04-27 1 00:05 https://pretalx.com Europe/London Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T09:00:00+01:00 09:00 00:30 Keynote Speaker bsides-cymru-2024-46371-opening-speeches-keynote Craig Jones, Clare Johnson + Stuart Criddle en Keynote Speaker false https://pretalx.com/bsides-cymru-2024/talk/RDFGC8/ https://pretalx.com/bsides-cymru-2024/talk/RDFGC8/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T09:30:00+01:00 09:30 00:30 An exploration of the threats against home renewable technologies such as solar panels, EV chargers and smart heating systems with inspiration from real world vulnerabilities. bsides-cymru-2024-45874-home-renewables-security-or-how-i-forgot-to-rtfm-and-got-pwned-by-my-12-year-old Jon Renshaw en Adoption of home technologies to help reduce CO2 emissions and energy costs are on the rise as more and more people engage with the green revolution. Whether it’s solar panels and battery technology, Electric Vehicles (EV) and their chargers or smart home heating for both conventional fossil fuel heating and electric heating such as heat pumps. All of these technologies are built on electronics, software, are networked and often include cloud management capabilities, as well as often being physically located outside of the home. This talk will explore the threat model for home renewable technology with real world examples of vulnerabilities. It will also explore what manufacturers should be doing to support their customers to maintain the security of home renewable technologies. The presentation will conclude with the story of how my 12 year old took advantage of poor default security settings on a solar inverter. false https://pretalx.com/bsides-cymru-2024/talk/ANY9VY/ https://pretalx.com/bsides-cymru-2024/talk/ANY9VY/feedback/ Main Room (Ballroom) - Track 1 Very Long Talk 2024-04-27T10:05:00+01:00 10:05 00:45 What do you get when you cross a bored security researcher with a gullible scammer? You get this talk, of course – an epic dive into weeks of trolling, lulz, and horrendous OPSEC. I’ve been trolling scammers as a hobby for a while now, amusing myself by replying to their email lures with deliberately outrageous scenarios and turns-of-phrase. Usually, the scammers figure out I’m on the wind-up and disengage pretty quickly. Not this time. Join me as we walk through a complex, long-term email scam from start to finish – a journey featuring a ‘solicitor’ who out of the goodness of his heart wanted to help me claim an inheritance worth millions, and a ‘bank’ which was only too willing to facilitate this. Along the way we’ll meet my slightly unhinged alter ego (the intended victim of this scam), and his fictional, put-upon, and possibly kidnapped roommate, Tarquin Fortitude. Together they turned a simple phishing lure into a litany of trolling involving increasingly ludicrous personal details, the most amateurishly-fabricated library card ever, a fake bank transfer, a giant purple envelope, and hilarious misunderstandings. Every time I thought I’d gone too far – like when I asked the scammer to send ME money – the scammer continued to reply, even laying the groundwork for a follow-up scam by telling me their son was undergoing cancer treatment. But it wasn’t all just for the lulz. As I trolled, I also documented every domain, snippet of information, and attachment, which provided a useful insight into how modern email scammers operate and the techniques and tactics they use. It also eventually resulted in me obtaining some very interesting details about the scammer… In this talk I’ll tell you the story in all its gory detail, explore some practical learning points, and share the IOCs and TTPs I collected. bsides-cymru-2024-43753-hurr-durr-he-wrote-that-awesome-time-i-trolled-the-stupidest-scammer-in-the-world Matt Wixey en See abstract. true https://pretalx.com/bsides-cymru-2024/talk/8SYSTT/ https://pretalx.com/bsides-cymru-2024/talk/8SYSTT/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T10:55:00+01:00 10:55 00:30 How everything can be faked and simple ways to debunk them as fakes. bsides-cymru-2024-44454-everything-online-can-be-faked-here-s-how-and-here-s-how-to-spot-it Wayne May en We discuss the ways everything online can be faked, from spoofing phone numbers to creating virtual webcams to using AI to create deepfaked voices, combined with animating an image to make it appear as if the person is talking. Several of the ways will be shown using demonstrations false https://pretalx.com/bsides-cymru-2024/talk/XWPKYS/ https://pretalx.com/bsides-cymru-2024/talk/XWPKYS/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T11:30:00+01:00 11:30 00:30 Navigate the Spectrum of Intelligence with us, our talk unveils the intricate world of intelligence gathering. Explore the mysterious intricacies of CYBINT, HUMINT, and other intelligence domains, each revealing a piece of the global espionage puzzle. Witness how the integration of TECHINT, SIGINT, FININT, and more, forms a complex tapestry of data analysis and insight. This presentation is a gateway into the secretive realms of intelligence, where each detail and discovery brings you a step closer to understanding the hidden forces that shape our world. bsides-cymru-2024-43423-so-you-want-to-be-a-spy-reality-is-a-slap-in-the-face Tony GeeHugo Page-Turner en Our presentation delves into the complex world of intelligence gathering and analysis. It covers various types of intelligence, such as TECHINT (Technical Intelligence), SIGINT (Signals Intelligence), FININT (Financial Intelligence), RADINT (Radar Intelligence), OSINT (Open Source Intelligence), CYBINT/DNINT (Cyber/Digital Network Intelligence), IMINT/GEOINT (Imagery/Geospatial Intelligence), MASINT (Measurement and Signature Intelligence), and HUMINT (Human Intelligence). We will journey through All-Source Intelligence, highlighting the specific methodologies and technologies involved, as well as their applications in different contexts. The presentation showcases less known techniques as well as those popularised by Hollywood. We also explore the integration of diverse intelligence types in modern practices and tradecraft as well as the evolution and current trends in intelligence gathering and analysis. true https://pretalx.com/bsides-cymru-2024/talk/NNLVEQ/ https://pretalx.com/bsides-cymru-2024/talk/NNLVEQ/feedback/ Main Room (Ballroom) - Track 1 Very Long Talk 2024-04-27T12:05:00+01:00 12:05 00:45 Admiral CTF which will be accessible via phone and open to all. bsides-cymru-2024-47573-admiral-community-ctf en Admiral CTF which will be accessible via phone and open to all. false https://pretalx.com/bsides-cymru-2024/talk/WCFQVU/ https://pretalx.com/bsides-cymru-2024/talk/WCFQVU/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T13:30:00+01:00 13:30 00:30 Achieving domain admin status may showcase l33t hacking skills, but does it resonate with clients? This presentation challenges the traditional focus on system compromise by shedding light on the often-overlooked consequence: the compromise of client and user trust. While penetration testers traditionally strive for system vulnerability identification, threat actors are evolving to exploit novel ways to impact victims. In a notable incident from November 2023, the ransomware group Alphv/BlackCat filed a complaint with the US Securities and Exchange Commission (SEC) against a victim who failed to disclose the data breach they caused. This incident may signal a potential shift towards hacking groups leveraging laws and regulations to pressure victims into making payments, adding a new layer to cyber threats. Exploring the European landscape, where the protection of Personally Identifiable Information (PII) is paramount, is it possible for penetration testers to leverage regulatory frameworks. By highlighting the business and regulatory impacts that clients may suffer due to lax security practices, we aim to encourage better security adoption. Can we turn regulatory compliance into a powerful tool for enhancing cybersecurity and fostering client trust? bsides-cymru-2024-43079-i-don-t-care-about-domain-admin Dan Cannon en Presentation outline 1) Common pentesting goals In the opening of the talk, we discuss that some common goals for clients engaging pentesters is the identification of vulnerabilities, and that testers have their own goals of being able to break all security, achieve a data breach and escalate privileges (Domain Admin FTW) 2) Traditional vs Modern penetraiton testing This section talks about how clients are starting to see that security needs to be thought of as a big picture issue and that testing very small areas of a network or single applications don’t realistically improve security. Modern testing is moving toward continual vulnerability assessments and more scenario/red team style testing. However testers still want to get to DA and prove their skills 3) Real world incidents that didn’t follow traditional playbooks A review of the Alphv/BlackCat attack against MeridianLink and how they posted a picture of themselves reporting MeridianLink to the USA SEC in an attempt to get them to pay a ransom 4) GDPR A review of the types of data that are deemed valuable in the EU (PII) and how companies have been hit with fines after databreaches 5) Weaponising GDPR for the greater good A discussion on how in 2024 cyber security is still not where it should be and that perhaps if we embrace non-technical ramifications of an attack we can convince clients to take action. Discussing how some clients have little idea what the impact of whoami command showing system access but can definitely understand comments such as “the last company that had this much data exposed in a breach payed £X millions in fines” 6) How to find the flaws The release of a new tool FileFinder that searches network for file sharing locations and points pentesters to areas of interest. 7) How a single file doomed an organsation’s attempt at being secure A case study of a real world penetration test against an organisation that took data security seriously was doomd due to an NFS share hosting a file with an excessive amount of passwords on it. It would have been significantly harder to break security without these credentials. 8) Conclusion Summing up how pentesters can still view technical exploits and network compromise as a fantastic goal to achieve. But that we can also add steps to highlight areas that can cause real impact to clients. Attendee Takeaway 1) Attendees will learn about pentesting concepts and how testers target networks 2) Attendees will learn about how regulation impacts their clients and that 1 hacking group has already threatened to use this against their victims 3) Attendees see a new tool that can be used to map files of interest across a network. false https://pretalx.com/bsides-cymru-2024/talk/JCDCGE/ https://pretalx.com/bsides-cymru-2024/talk/JCDCGE/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T14:05:00+01:00 14:05 00:30 Azure, AWS, GCP...Pick your poison. We are in the midst of a digital revolution as organisations are putting an unearthly (pardon the pun) amount of their business operations and data in the cloud. Responsibility has become a grey area, storage is being left exposed to the internet, and MFA may be the first and last line of defence. Join Max, Head of Adversarial Simulation and a Red Teamer who has become mildly obsessed with hacking the cloud, as he walks you through how his perspective and methodology has shifted when targeting cloud environments. bsides-cymru-2024-44271-out-of-the-frying-pan-into-the-cloud-a-red-teamer-s-view-of-your-cloud-estate Max Corbridge en Initial Access: - Is password spraying back!? Max and his red team are leveraging intelligent password spraying and common gaps in MFA to breach orgs reliant on o365. This particular attack chain has recently been abused by Russian threat group Midnight Blizzard to compromise Microsoft themselves https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - The renaissance of web application compromise. Metadata services and rich cloud APIs have taken the impact of SSRF and RCE on app servers and functions to new levels. Gone are the days of popping a low-privileged service account, restricted to the webroot on a web server, in the DMZ... - Users will always be a target...but out with the old (implants) and in with the new (post-MFA session tokens) Lateral Movement / Privilege Escalation: - Every cloud environment we have red teamed to date has some level of overly privileged accounts, and its not a surprise when IT administrators are now expected to understand the granular differences between 100s of different IAM roles - Targeting the right identities/service principals/etc is often easier and better opsec than going for superusers - Generally speaking there are so many misconfigurations or abusable default configurations that there is less a focus on 'exploitation' as there is on 'leveraging' what is there. - Persistence is now about maintaining access to valid session tokens, not repeatedly executing an implant. Data Mining / Actions on Objectives: - Data mining is an absolute goldmine in the cloud, and Max and his team have abused this to skip massive chunks of the traditional cyber attack kill chain and cause catastrophic business impact - Actions on objectives largely remain the same from on-prem to cloud red teams, but the means change dramatically. false https://pretalx.com/bsides-cymru-2024/talk/ZXC9NE/ https://pretalx.com/bsides-cymru-2024/talk/ZXC9NE/feedback/ Main Room (Ballroom) - Track 1 Very Long Talk 2024-04-27T14:40:00+01:00 14:40 00:45 Embark on a gripping journey into the realm of Cloud Purple Teaming through a real-world war story. This talk will unfold the challenges, victories, and invaluable lessons learned during a Cloud Purple Teaming engagement. Gain insights into the unique strategies and collaborative efforts that shaped the defense of cloud-based assets, providing actionable takeaways for enhancing your organization's cloud security posture. bsides-cymru-2024-44837-navigating-cloud-frontiers-a-war-story-of-cloud-purple-teaming Hani Momeninia en Attendees will gain actionable insights into the intricacies of Cloud Purple Teaming, from navigating the cloud landscape to mastering incident response in cloud environments. The war story format will provide tangible lessons applicable to diverse cloud security challenges. false https://pretalx.com/bsides-cymru-2024/talk/9N3LA7/ https://pretalx.com/bsides-cymru-2024/talk/9N3LA7/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T15:35:00+01:00 15:35 00:30 An employee's M365 account has become a pivotal asset, guarding business-critical data such as internal emails and SharePoint data. In this talk, we dive into modern tradecraft used by JUMPSEC to compromise M365 in our adversary simulation engagements, some of which were recently used by an advanced threat group to successfully breach Microsoft. The talk will outline our methodologies in obtaining unauthorised access, followed by strategies for post-compromise actions. bsides-cymru-2024-44593-ohhhh365-how-to-quite-reliably-hack-into-microsoft-365-and-what-to-do-afterwards Sunny Chau en ## Introduction M365 accounts have never been *mere* email inboxes; they are the linchpins of internal communications and data repositories. An attacker's access to such accounts often leads to sensitive internal data exposure and facilitates lateral movement within an organization, especially in hybrid or cloud-native environments. ## Initial Access Methodologies We dive into the methodologies tested and refined in red team operations in our consultancy, to infiltrate Microsoft 365, which include: - **Revival of Password Spraying**: The password spraying technique is revisited, utilizing AWS API Gateway proxying to bypass Microsoft's Smart Lockout. This innovative approach enables us to exploit often-seen gaps in multi-factor authentication (MFA) setups, which got us into highly-sophisticated clients. Microsoft's security team reported in January 2024 that one of their own tenants were compromised by a threat group using a similar approach. - **MitM Phishing Via Productivity Apps**: Tools like Microsoft Teams can be leveraged for phishing, effectively circumventing traditional email controls. Our social engineering methodology employs Man-in-the-Middle (MitM) tactics to hijack post-MFA access tokens. We will outline key steps in readily setting up a believable front that gets past web filters. ## Post-Compromise Our Tactics, Techniques, and Procedures (TTPs) for data mining, persistence and lateral movement within Office 365 are highlighted, and thereby the potential business impact too. Threat actors, and by extension attack simulations target M365 more and more for a reason, and it's not just about breaking into accounts. false https://pretalx.com/bsides-cymru-2024/talk/MC3RN9/ https://pretalx.com/bsides-cymru-2024/talk/MC3RN9/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T16:10:00+01:00 16:10 00:30 With passwordless solutions becoming more prevalent within the enterprise, the goal of becoming a phish proof organisation are becoming ever closer. But what risks are introduced with these kinds of solutions? bsides-cymru-2024-45395-okta-terrify-persistence-in-a-passwordless-world Ceri Coburn en We will take a deep dive into one of these solutions, the Okta Verify application and it's FastPass feature. We will first cover how Okta Verify and FastPass works followed by a demonstration of persistence vectors available to attackers when an endpoint is compromised that is running Okta Verify. A new tool will be demonstrated that will also be released to the community later in the summer. true https://pretalx.com/bsides-cymru-2024/talk/NAUZ9Y/ https://pretalx.com/bsides-cymru-2024/talk/NAUZ9Y/feedback/ Main Room (Ballroom) - Track 1 Talk - Long 2024-04-27T16:45:00+01:00 16:45 00:30 Closing speeches and prize giving bsides-cymru-2024-49720-closing-speeches en Closing speeches and prize giving false https://pretalx.com/bsides-cymru-2024/talk/SN8EC7/ https://pretalx.com/bsides-cymru-2024/talk/SN8EC7/feedback/ Sophia Room - Track 2 Very Long Talk 2024-04-27T09:25:00+01:00 09:25 00:45 An educational but fun myth-busting session talking about all things neurodiversity. Illyana will talk about her journey through diagnosis and her journey in industry, as well as share insights on how everyone can be more inclusive. bsides-cymru-2024-43378-decoding-neurodiversity-spectrums-aren-t-just-for-rf Illyana Mullins en Through personal experience and awkward audience participation, be prepared for an exploration of the misconceptions surrounding neurodiversity, coupled with practical tips on fostering inclusivity. Discover how each of us can contribute to creating a more understanding and welcoming environment for individuals with diverse neurological profiles. This session promises to be both informative and enjoyable, as we delve into the complexities of neurodiversity with a personal touch. false https://pretalx.com/bsides-cymru-2024/talk/DY8SWE/ https://pretalx.com/bsides-cymru-2024/talk/DY8SWE/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T10:15:00+01:00 10:15 00:30 Whatever you do, don't pull the plug! A ticket has been logged, users are unable to open files and then you discover the ransom notes, and start seeing files changing before your eyes - what next? Isolate the hosts, pull the power, pray or go and make a cuppa? This talk will cover a real life experience when someone did exactly that and pulled the power out of a storage array - with the best of intentions to prevent further damage, unbeknown that this would actually cripple the network! From stopping the attack, uncovering the lack of DR and backups, to reconstructing the environment and travelling across London with a server in the back of a black cab and then rebuilding. This is a real life tale about how a lack of incident response planning and knee jerk reactions can make things worse! bsides-cymru-2024-46022-whatever-you-do-don-t-pull-the-plug Pete G en Whatever you do, don't pull the plug! A ticket has been logged, users are unable to open files and then you discover the ransom notes, and start seeing files changing before your eyes - what next? Isolate the hosts, pull the power, pray or go and make a cuppa? This talk will cover a real life experience when someone did exactly that and pulled the power out of a storage array - with the best of intentions to prevent further damage, unbeknown that this would actually cripple the network! From stopping the attack, uncovering the lack of DR and backups, to reconstructing the environment and travelling across London with a server in the back of a black cab and then rebuilding. This is a real life tale about how a lack of incident response planning and knee jerk reactions can make things worse! false https://pretalx.com/bsides-cymru-2024/talk/AC9KGJ/ https://pretalx.com/bsides-cymru-2024/talk/AC9KGJ/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T10:50:00+01:00 10:50 00:30 In the ever-evolving landscape of cybersecurity threats, SOC analysts play a vital role in detecting, investigating, and responding to incidents. To excel in their mission, SOC analysts need to leverage a comprehensive arsenal of tools, along with proven tips and tricks, to conduct efficient and effective investigations. In this talk, we will dive deep into the SOC analyst's world, exploring the essential tools, invaluable tips, and time-saving tricks that can supercharge investigations. Join us for an engaging session that will empower SOC analysts of all skill levels with the tools, tips, and tricks necessary for effective investigations. bsides-cymru-2024-44441-soc-analyst-s-arsenal-essential-tools-tips-and-tricks-for-effective-investigations Samuel Kavaler en We will begin with an OPSEC warning after which we will explore SOC analyst tools that form the foundation of a SOC analyst's toolkit and highlight the most valuable functionalities. Main areas that will be covered: - Reputation engines and related info - Quick sandboxing - Analysis of EVTX and malware - Other useful tools Additionally, we will share battle-tested tips and tricks used by experienced SOC analysts in the field. These insights will cover a range of topics, including: - OSINT gathering - Log manipulation and transformation - Scripting and automation opportunities Moreover, we will mention the importance of collaboration and knowledge sharing among the SOC analysts and propose ways to leverage gamified tabletop exercise to ignite conversation and teamwork. We will conclude the session with a few minutes for questions from the audience / suggestions of other tools or tricks they like. false https://pretalx.com/bsides-cymru-2024/talk/9WGWWS/ https://pretalx.com/bsides-cymru-2024/talk/9WGWWS/feedback/ Sophia Room - Track 2 Very Long Talk 2024-04-27T11:25:00+01:00 11:25 00:45 Both LLMs as application components and code generation has security challenges. The goal of the talk is to demystify the complexities of securing applications. We discuss AI security and software engineering challenges according to recent research. Highlighting three popular AI use cases: Code Completion, Code Generation and Code Quality tools. We discuss how they fit in modern development environments and CI/CD, and what their implications are. We seek to resolve conflicting interests of Product Management, Security and Software Development. The talk will build on well-known security knowledge, extend it by looking at frameworks, such as MITRE ATLAS and OWASP Top 10 for LLMs. With a quick intro to some of the key attack techniques, we look at where prevention should occur, and how to prioritize defenses. The presentation will have a demo including one potential workflow. The goal is to overcome the obstacles of securing software by decomposing it. The typical challenges are: specialised tooling, lots of moving parts, unclarity of the components. We discuss the approaches to deal with securing software with high Go to Market pressure including. bsides-cymru-2024-45048-practical-security-challenges-posed-by-ai-adoption-code-quality-and-threat-modeling Balazs Greksza en 1. INTRODUCTION - whomi 2. AI IN SOFTWARE ENGINEERING - How software engineers apply AI in their day to day job 3. LLM USE CASES - and few thoughts about the security cost 4. SECURITY FRAMEWORKS AND BEST PRACTICES - Latest improvements in the field 5. DEMO 6. CLOSING REMARKS false https://pretalx.com/bsides-cymru-2024/talk/NTWYXY/ https://pretalx.com/bsides-cymru-2024/talk/NTWYXY/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T12:15:00+01:00 12:15 00:30 Reverse engineering, vulnerability research, binary analysis - all of these approaches and disciplines require skill and take time. This talk dives into supporting the latter, by covering what we can do to automate and accelerate approaches to binary analysis and in getting results, identifying findings, and spotting bugs and vulnerabilities quicker. bsides-cymru-2024-43246-automating-binary-analysis-with-machine-learning-and-a-bunch-of-scripts James Stevenson en *Reverse engineering, vulnerability research, binary analysis - all of these approaches and disciplines require skill and take time. This talk dives into supporting the latter, by covering what we can do to automate and accelerate approaches to binary analysis and in getting results, identifying findings, and spotting bugs and vulnerabilities quicker.* During this talk we’ll cover a collection of approaches for accelerating binary analysis, covering a rage of areas from onboarding new binaries, diffing code, and identifying vulnerabilities/ similar code using ML. This will include: - Quick wins you can implement right now to accelerate your manual analysis - Approaches to developing your own automated approaches to binary analysis - Where machine learning fits into this, and a collection of ML automation tooling false https://pretalx.com/bsides-cymru-2024/talk/A8YPE3/ https://pretalx.com/bsides-cymru-2024/talk/A8YPE3/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T13:30:00+01:00 13:30 00:30 I will explain how IDOR vulnerabilities occur in the context of online transactions. I will be doing a demonstration showing real world examples and results of IDOR attacks. I will also explain statistics or case studies highlighting the financial impact of IDOR attacks, and I will also conduct extensive research on how to eliminate the defensive vulnerability. To prevent IDOR vulnerabilities, secure coding practices are required at least a little. Therefore, what important points should we pay attention to, etc. Securing all endpoints via IDOR These will all be LIVE DEMO or LIVE HACK. I will make my own configuration on the server. bsides-cymru-2024-43704-securing-online-transactions-how-to-keep-your-money-safe-about-idor-vulnerability Ilkin Javadov en I need only HDMI false https://pretalx.com/bsides-cymru-2024/talk/GB9VVT/ https://pretalx.com/bsides-cymru-2024/talk/GB9VVT/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T14:05:00+01:00 14:05 00:30 This talk will take a closer look at BloodHound's Cypher queries, delving into how complex queries can be built in order to build and extract better datasets for use in offensive and defensive AD security. The basics of the language, its syntax, potential use cases and advantages over BloodHound GUI alone will be discussed in detail. Examples will be drawn from the field and pros and cons of utilising raw queries will be illustrated. This topic was chosen out of a frustration for the sometimes slow process of enumerating targets in BloodHound using prebuilt queries, or the worry of missing key targets and paths due to an incorrect query. bsides-cymru-2024-43901-dr-strangequeries-or-how-i-learned-to-stop-worrying-and-write-better-bloodhound-queries Harry Williams en BloodHound is one of the most well-known tools in the hacker's arsenal when it comes to Active Directory exploitation. It offers the user a convenient way of visualising relationships within AD in order to find interesting attack paths. BloodHound even comes with pre-made queries that you can use to find quick-wins throughout the chosen domain. Unfortunately, these pre-made queries do not offer the full scope of paths you may wish to try in AD and may not do exactly what you want them to. Since BloodHound relies on Cypher queries against a neo4j database, one can simply write raw queries for use in the BloodHound GUI and neo4j web console in order to better query the AD datasets...if they can figure out the syntax that is... This talk will (attempt to) demystify Cypher without assuming any prior knowledge of either it or BloodHound. The following will be covered: - A very brief introduction into BloodHound, how it works and how it is used, aimed at those new to the tool - Limitations of only using the pre-made scripts in BloodHound and how these can be solved with custom queries and the neo4j web console - A more detailed look at Cypher syntax and how to write queries (with examples), alongside some common pitfalls - Some example custom queries that I have found useful, including those I have used in engagements - How to save custom queries and import them into BloodHound for later use The need to cannibalise Cypher queries and build better queries came from the sometimes lax number of appropriate pre-built queries in stock BloodHound. Indeed, without the ability to restructure and write one's own, the risk of missing the next novel attack path is more apparent. Sometimes it's not that 'BloodHound did not find anything', it's that you, the user, failed to ask BloodHound the correct question. false https://pretalx.com/bsides-cymru-2024/talk/PTKKCJ/ https://pretalx.com/bsides-cymru-2024/talk/PTKKCJ/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T14:40:00+01:00 14:40 00:30 The web platform's openness and composability provide many benefits. Yet, the ability for websites to interact with each other has provided many opportunities for attacks that abuse the core principles of the web. With advancements in web technologies, it might seem like we are entering a post-XSS world. But modern client-side security is so much more than just traditional XSS and CSRF! bsides-cymru-2024-45189-client-side-attacks-in-a-post-xss-world Zeyu (Zayne) Zhang en With the evolution of web frameworks and browsers, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) have become increasingly rare. In response, new classes of client-side vulnerabilities have emerged - DOM clobbering, XS-Leaks and client-side path traversals are just a few examples. In this talk, we will explore the merits and potential pitfalls of various protections against XSS and CSRF, newer classes of client-side attacks and some real-world examples of their applications. false https://pretalx.com/bsides-cymru-2024/talk/SHNKCJ/ https://pretalx.com/bsides-cymru-2024/talk/SHNKCJ/feedback/ Sophia Room - Track 2 Talk - Long 2024-04-27T15:15:00+01:00 15:15 00:30 We willingly share immense personal information about ourselves online disregarding the consequences of such actions. Privacy is now a word we bound around whilst simultaneously sharing with the world every aspect of our lives with no second thought. Social media, public databases and breach dumps are a treasure trove of information. From account takeovers, targeted phishing campaigns, fraud, stalking and blackmail we’ll see how threat actors can put the jigsaw pieces about us together to create a detailed attack profile. bsides-cymru-2024-46035-i-know-what-you-did-last-summer /media/bsides-cymru-2024/submissions/HTZTKW/headshot_aINdRRp.jpg Sam Macdonald en Thought provoking look at how much personal information we share and exploratory look at how this can be used in targeted campaigns. During the talk attendees will learn what type of personal information is attainable by OSINT. Workflow of an investigation into a target (using myself as an example) Scenarios of how threat actors could utilise this data with real world examples. false https://pretalx.com/bsides-cymru-2024/talk/HTZTKW/ https://pretalx.com/bsides-cymru-2024/talk/HTZTKW/feedback/ Sophia Room - Track 2 Talk - Short 2024-04-27T15:50:00+01:00 15:50 00:15 How lack of diversity can blinker teams so much that they can create more than just security vulnerabilities. Learn how I break mould to help security teams that I work with, as well as external teams understand if they widen their sights they can see more than just security risks. bsides-cymru-2024-44203-is-the-biggest-cyber-security-risk-the-lack-of-diversity /media/bsides-cymru-2024/submissions/AE99SK/Diversity_oWlqlwu.jpg Becky Hall en The trials and tribulations of a career path, which never played into the stereotypes. A truly honest picture of what risks can be remediated by a team which is more than just what's on paper to go further for ultimate diversity. false https://pretalx.com/bsides-cymru-2024/talk/AE99SK/ https://pretalx.com/bsides-cymru-2024/talk/AE99SK/feedback/ Sophia Room - Track 2 Very Short Talk 2024-04-27T16:10:00+01:00 16:10 00:10 In modern vehicles, many functions that enhance convenience rely on the Controller Area Network (CAN-bus), which serves as an in-vehicle network connecting sensors and actuators. Despite being a three-decade-old technology, the CAN-bus remains prevalent due to its effectiveness and efficiency. However, it lacks essential security features for confidentiality, integrity, and availability, making it vulnerable in today's connected vehicle landscape. While a majority of research has been done to address the security features, there is a lack of attention given to the effects of these additional security features to other parts of the vehicle, such as the Event Data Recorder. If detrimental effects are present, then the security features fitted to combat CAN-bus vulnerabilities needs to be evaluated. bsides-cymru-2024-44300-modern-vehicle-sabotage Muhammad Yusuf Bambang en In this 10-minute talk, we will explore the critical role of the Controller Area Network (CAN-bus) in modern vehicles and its susceptibility to security vulnerabilities. Despite its age, the CAN-bus lacks essential security features, rendering it vulnerable to cyber threats in today's connected vehicle landscape. While efforts have been made to address these vulnerabilities, little attention has been given to assessing the potential impact of security measures on other vehicle components, particularly the Event Data Recorder (EDR). We will discuss the implications of this oversight and the importance of conducting comprehensive security assessments to ensure the integrity and functionality of connected vehicles. Through simulation based experiments, we will underscore the need for holistic approaches to CAN-bus security and highlight avenues for future research and development in the field. Join us as we navigate between security features and vehicle functionality, aiming to pave the way for safer and more resilient connected vehicles. false https://pretalx.com/bsides-cymru-2024/talk/3PYQUV/ https://pretalx.com/bsides-cymru-2024/talk/3PYQUV/feedback/ Sophia Room - Track 2 Talk - Short 2024-04-27T16:30:00+01:00 16:30 00:15 Security remains a paramount concern in the rapidly evolving Internet of Things landscape. Traditional Intrusion Detection Systems often fall short in the face of unique challenges posed by IoT networks, such as resource constraints and device heterogeneity. By creating an IDS which lives on the microcontroller it allows it to have autonomy over its security without relying on external devices. We have a look at the challenges of implementing this solution on the device and how it performs compared to traditional solutions. bsides-cymru-2024-44287-pocket-sized-powerhouses-exploring-idss-on-microcontrollers /media/bsides-cymru-2024/submissions/GQ93WH/OIG1_nRnS38N.jpeg Vasilis Ieropoulos en The ESPRESSIF family of devices, particularly the ESP32, is among the most popular microcontrollers used in the Internet of Things (IoT) domain. The ESP32 is a dual-core system, that can run tasks independently of each other. This dual-core architecture is leveraged to enhance the efficiency of IDSs implemented on these devices. In a typical scenario, one core is dedicated to identifying potential threats or malicious activities, while the other core is responsible for sending telemetry data or alerts about these threats to a central system. This division of labour between the two cores ensures a seamless transition from threat detection to alert generation, enhancing the overall responsiveness and effectiveness of the IDS. To further enhance the functionality of the device while ensuring it operates as intended, techniques like protothreading are employed. This means that the device can perform multiple tasks simultaneously, such as monitoring network traffic, analysing data for potential threats, and sending alerts, without any significant impact on performance. However, implementing such a sophisticated IDS on a microcontroller does come with certain trade-offs, the most notable of which is increased power consumption. The additional processing required for threat detection and telemetry transmission can lead to higher energy usage, which can be a concern for battery-operated devices. true https://pretalx.com/bsides-cymru-2024/talk/GQ93WH/ https://pretalx.com/bsides-cymru-2024/talk/GQ93WH/feedback/ Roath Room Village 2024-04-27T09:30:00+01:00 09:30 04:00 Although technical measures have played a vital role in enhancing cybersecurity, the changing landscape has shifted towards exploiting human vulnerabilities. Most recorded attacks now target behavioural vulnerabilities, highlighting the need to comprehend and encourage positive security behaviours. However, securing human behaviour poses a significant challenge, with individual motivations, environmental influences, and cognitive biases amongst a myriad of factors contributing to the complexity of the challenge. This village seeks to shed light on the complexity of the human challenge in cybersecurity. First, through a series of talks featuring academic and industry experts, we aim to showcase the diverse range of influences on human behaviour. From psychological biases to organisational culture and geopolitics, our speakers will explore the multifaceted nature of human factors and their implications for increasing positive security behaviours. In addition to the talks, attendees can participate in various human factors related interactive sessions, including a novel board game that simulates the development of a digital healthcare start-up, challenging players to make strategic product and cybersecurity decisions as board members. Finally, our village will facilitate an expert panel discussion on pressing questions surrounding human factors, including “How do we know interventions are working?” and ”What even are human factors?!”. bsides-cymru-2024-45710-exploring-the-socio-technical-challenge-what-even-are-human-factors-and-why-should-i-care /media/bsides-cymru-2024/submissions/U379K8/2064_Tc1ZJPq.jpeg Victoria MarcinkiewiczRob PeaceOishee KunduAlicia Cork en Our lineup of speakers brings together experts from various disciplines, offering insights into psychological processes, economic investment, political landscapes, and industrial perspectives, all relating to cybersecurity. From the importance of habit in positive security behaviours to the economics of security investments, each talk promises a nuanced exploration of the human element in cybersecurity. To complement the talks, multiple activities await attendees, including "Technology, Threats, and Tradeoffs", an innovative research board game designed to immerse players in the dynamic environment of digital healthcare startup development. With a focus on cybersecurity and business investments, this game challenges players to navigate the complexities of strategic decision-making, as well as provides additional interactive sessions aimed at unravelling the essence of human factors. Concluding the session, a panel of experts will tackle the fundamental questions surrounding human factors in cybersecurity, inviting discourse on the challenges, vulnerabilities, and future directions for human factors. Join us as we navigate the socio-technical terrain, striving to answer the critical question: What even are the human factors of cybersecurity?! Talks 0930 - Start of HF village (Roath room) - opening remarks 0940 - Tobi Weickert (University of Bath) - Secure by Habit: Exploring the Role of Routine in Cybersecurity. 0955 - Mordecai Otter (Cardiff University) - Why human factors matter when designing digital defences. 1010 - George Raywood-Burke (Cardiff University) - Applying Theory to Practice: How Decision Making can be influenced in Cyber-Security. 1025 - Chris Locke (Admiral) - Agile Security Delivery 1040 - Elizabeth Kolade (University of Bristol) - Why is Cybersecurity a geopolitical issue? 1055 - Rob - Cross cultural differences in the perceived trustworthiness of online information. Activities 1110 - Oishee Kundu, Tobi Weickert - Threats and trade-offs board game       Victoria Marcinkiewicz - OSINT challenge       Rob Peace/Chris Locke - Disinformation challenge       General HF discussion - everyone/anyone Panel - Exploring the socio-technical challenge: What even are human factors?! and why should I care? 1230 - Prof Phil Morgan (Cardiff University)        Dr Oishee Kundu (University of Bath)        Stephen Donovan (Admiral)        Victoria Marcinkiewicz (Cardiff University) End of track - 1330 false https://pretalx.com/bsides-cymru-2024/talk/U379K8/ https://pretalx.com/bsides-cymru-2024/talk/U379K8/feedback/ Bute Room - Lockpicking village Village 2024-04-27T09:30:00+01:00 09:30 07:00 The combined TOOOL UK and UKLOCKSPORT.CO.UK are asking permission to run a lockpicking village. bsides-cymru-2024-44874-lockpicking-village Rik Kershaw-Moore en The combined TOOOL UK and UKLOCKSPORT.CO.UK team which last year provided the Lockpicking Village at BSides Brsitol 23 and Bsides London 23 would like to run a lockpick village at Bsides Cymru 24. We are proposing all the usual Lockpicking village content including skills transfer and maybe a competition or two. false https://pretalx.com/bsides-cymru-2024/talk/XP3JZU/ https://pretalx.com/bsides-cymru-2024/talk/XP3JZU/feedback/ Sponsors Hall Village 2024-04-27T09:30:00+01:00 09:30 07:00 Interested in seeing how industrial control systems work and how secure they are? The ICS Village run by the University of Bristol's Cyber Security Group includes live demos of various attacks against ICS devices using our mobile demonstration units. bsides-cymru-2024-44204-ics-village Joe Gardiner en Industrial control systems, such as those controlling many aspects of critical infrastructure including energy, water and manufacturing, are increasingly the target of sophisticated cyber attacks. At the ICS village you can see practical attack demonstrations against real ICS devices, including demonstrations of attack scenarios which can cause physical processes to go wrong. Demonstrations include reconnaissance of ICS devices (and how Nmap can kill devices), the exploitation of programmable logic controllers and password cracking of human machine interfaces. false https://pretalx.com/bsides-cymru-2024/talk/RJCAYC/ https://pretalx.com/bsides-cymru-2024/talk/RJCAYC/feedback/ Mezzanine Village 2024-04-27T09:30:00+01:00 09:30 07:00 BattleBots bsides-cymru-2024-46372-battlebots Craig Jones, Clare Johnson + Stuart Criddle en BattleBots false https://pretalx.com/bsides-cymru-2024/talk/DWALNA/ https://pretalx.com/bsides-cymru-2024/talk/DWALNA/feedback/