Multi-cloud and hybrid identity setups are now the standard in enterprise environments. Connecting on-prem directories, cloud environments, and third-party systems improves management and visibility, enabling organizations to oversee their infrastructure more effectively. But in return, these connections blur long-standing trust boundaries and introduce new, often overlooked attack paths.

The assume breach point of view has become the norm for security professionals, recognizing that incidents are bound to happen sooner or later. But what about breaches that go beyond the typical security threats exploited by malicious outsiders? In this talk, we will dive into privacy breaches, from major well-published scandals to smaller, barely mentioned cases, showing the impact of weak privacy design and how these breaches could have been avoided.

Through these high profile privacy incidents, we will derive actionable learning that you can integrate into your current security practices, ensuring your products will be both secure and privacy-respecting.

This talk explores the world of OT or Operational Technology and, the risks when messing with them and how real and experienced pentesters can approach an OT pentest without increasing safety risks.

Be prepared to see a full live demo of an internet-to-production-disruption attack and how any company can defend itself against these threats. All without interrupting an always-on industrial environment.
We will also explain how one can defend itself to each of the different phases of these attacks.

Threat modeling: all development teams should be doing it, but what's really happening in practice?

Nearly a decade of CREST’s influence has pushed the adoption of threat-informed security and helped miking the concept of “kill-chain” popular. MITRE contributed to systematically organize and document attacks across the kill-chain for strategic planning and atomic simulations are the tool to validate controls.

Still, many organizations struggle to prioritize available threat intelligence and turn simulation outcomes into actions. This gap underscores the need for a better Purple Team. One that doesn’t just produce a report, but actually helps improve defenses.

Purple Teams should be a downplayed “glorified” Red Team where the SOC knows that something is about to happen, learns about the attack technique and tries to catch it live. That’s not the point, nor it is running a series of planned and “continuously repeated” atomic tests; a BAS tool will produce “continuously the same results”. Purple Teams take a broader, more collaborative path aiming to cover a wider range of threats and focusing on strategic efficiency, producing artefacts that can be reinjected into operations for long-term value.

Cruise ships are possibly the most complex collection of systems that you'll find in one physical, moving location. Propulsion, navigation, power generation and more, combined with a hotel, restaurant, casino, theatre etc, with safety and fire control systems to boot. That complexity creates huge challenges with keeping OT and IT systems apart. Ships engines are often remotely managed, network segregation is often defeated through troubleshooting when at sea.

We'll recount multiple entertaining and informative tales of taking control of ships, including accessing a ships Azipods via a game simulator for passengers. Fortunately, genuine attacks against vessels are very rare, but the effects and impacts to world trade are becoming increasingly obvious.

The open-source ecosystem is one of software’s greatest achievements but when trust is weaponized, the results can be alarming. In this session, we trace a case study that began with a seemingly innocent GitHub project and unraveled into a layered, globally-distributed deception network.

After being presented at DEFCON 33 in the Bug Bounty Village and at leHack in Paris, this talk is now coming to the Belgian community. Pedro will be exposing a design flaw he discovered that impacts Retrieval-Augmented Generation (RAG) systems and AI-powered applications.