Abstract:
Our talk will cover several aspects of how terrorist groups, particularly ISIS, have integrated social media and messaging platforms into their recruitment and propaganda campaigns. The adaptation of which has enabled easier and cheaper dissemination of extremist material on a global scale. Our research focuses on understanding how ISIS use Twitter, the potential intelligence gold mine this creates and the overall negative impact of an easily accessible extremist echo chamber. Our secondary area of interest is the use of end-to-end encrypted communications by ISIS, we discuss the technical and political aspects of cryptography bans or backdoors. Overall we aim to summarize the successes and failures encountered by terrorists while adapting their organizations to rely heavily on the internet. As our research relies exclusively on open source intelligence (OSINT) we will conclude by briefly covering our methods, successes, failures and what we learned from it all.

Bio:
We are both undergraduates studying BSc Ethical Hacking at Abertay, Scotland. We were introduced to open source intelligence via our degree and have longstanding independent interest in studying terrorism, the combination of which lead us to this research. We are both active on Twitter as @bowesky and @mikeyjck.

                                /   \       
 _                      )      ((   ))     (
(@)                    /|\      ))_((     /|\
|-|                   / | \    (/\|/\)   / | \                    (@)
| |------------------/--|-voV---\`|'/--Vov-|--\-------------------|-|
|-|                       '^`   (o o)  '^`                        | |
| |                             `\Y/'                             |-|
|-|                                                               | |
| |                 Sorry, but this presentation is being         |-|
|-|       ____                     _          _                   | |
| |      / ___|__ _ _ __   ___ ___| | ___  __| |                  |-|
|-|     | |   / _` | '_ \ / __/ _ \ |/ _ \/ _` |                  | |
| |     | |__| (_| | | | | (_|  __/ |  __/ (_| |                  |-|
|-|      \____\__,_|_| |_|\___\___|_|\___|\__,_|                  | |
| |                                                               |-|
|-|                                                               | |
| |                                                               |-|
|_|_______________________________________________________________| |
(@)            l   /\ /          \\       \ /\   l              `\|-|
               l /   V            ))       V   \ l                (@)
               l/                //             \I
                                 V

Abstract:
When a software development life cycle is informal, with a lack of a clear heading, with no documented processes or procedures, it tends to result in an unnecessary high number of downtime in the production environment. It introduces unnecessarily high number of security vulnerabilities, which in return may end up costing software development companies and their clients a lot of money.

By implementing a formal secure software development life cycle, it is possible to catch security vulnerabilities, both in its design and implementation much earlier, and therefore reducing downtime and unnecessary costs.

This presentation is based on the presenter’s experience in having worked for multiple companies, both as a part of a programming team, leading programming teams, auditing software development life cycles and recently designing and leading the implementation of a secure software development life cycle.

This presentation is going to cover the basic building blocks required to achieve a successful and secure software development life cycle. Useful standards which can be used in a design of a secure software development life cycle will be covered, including ISO/IEC 27034. The presentation will also address a number of questions, including: “Should every software company implement a secure software development life cycle?”, “What are common pitfalls and how can they be avoided?”

Bio:
Svavar has been specializing in IT security and software development for the last 18 years and has held various roles in programming and IT Security consulting with vast experience in penetration testing, vulnerability assessment, code auditing, information security management – including ISO/IEC 27001, PCIDSS and PADSS. These roles include a manager position at KPMG, as well as a CISO position at DH samskipti. Svavar has taught classes on computer security at the University of Iceland and the University of Reykjavik. Svavar was the chairman of the information security focus group at the Icelandic Computer Society from 2007-2012. He has given talks at multiple events in Iceland, the UK, Germany, Ukraine and the US, including OWASP, BSides and Hacker Halted Europe. Svavar holds various certifications, including CISSP, CISA and CISM.

                                /   \       
 _                      )      ((   ))     (
(@)                    /|\      ))_((     /|\
|-|                   / | \    (/\|/\)   / | \                    (@)
| |------------------/--|-voV---\`|'/--Vov-|--\-------------------|-|
|-|                       '^`   (o o)  '^`                        | |
| |                             `\Y/'                             |-|
|-|                                                               | |
| |                 Sorry, but this presentation is being         |-|
|-|       ____                     _          _                   | |
| |      / ___|__ _ _ __   ___ ___| | ___  __| |                  |-|
|-|     | |   / _` | '_ \ / __/ _ \ |/ _ \/ _` |                  | |
| |     | |__| (_| | | | | (_|  __/ |  __/ (_| |                  |-|
|-|      \____\__,_|_| |_|\___\___|_|\___|\__,_|                  | |
| |                                                               |-|
|-|                                                               | |
| |                                                               |-|
|_|_______________________________________________________________| |
(@)            l   /\ /          \\       \ /\   l              `\|-|
               l /   V            ))       V   \ l                (@)
               l/                //             \I
                                 V

Abstract:
Today, passwords remain one of the security cornerstones. They are used everywhere – accounts for online services, access to email and servers, domain accounts and more. We all know stories, when big companies has been cracked due to simple and predictable password of one of the employees?
During talk there will be present the results of testing different dictionaries for bruteforce, rules and other methods used to restore the user hashes. Also what will be if we combine all dictionaries at one? One big wordlist,of course, will allow to restore the hashes to the efficiency of all the dictionaries, but he will have several drawbacks: size and “”recovery”” speed. The problem can be solved by combining dictionaries and test them, to get best combination. But the first problem of this approach is that if there are 100 dictionaries and each combination will contain only 5 of them there will be near 9 billions of possible combinations. If there are about 200 of them and each combination contains few hundreds of them, it will impossible just to iterate such number. To solve this problem. Genetic algorithms can be used to solve such problem. They can be used to generate useful solutions to optimization and search problems. There will be introduced some results of idea by creating dictionaries using genetic algorithms, how population and genotype size have influence on final results, it’s pros and limits.

Bio:
Ivan is the information security auditor at Digital Security. His main area of interests – analysis of source code. He likes to search bugs, vulnerabilities in source code of different applications: from simple web sites to enterprise software. Also, he has vast experience in banking systems and web application penetration testing.

Abstract:
With number of emerging new Trusted Certificate Authorities (CAs), a few not so recent CA breaches and the fact that any Trusted CA can issue certificate for any domain, there is an increasing risk of MITM attacks against users without them noticing anything. Fortunately, new standards are being proposed that are addressing these trust issues. We will look into DANE certificate pinning and how to implement it.

Bio:
Damjan Sirnik is a student at Faculty of Electrical Engineering, University of Ljubljana with experiences in systems and network security, web technologies and systems administration. These days his main interests are e-mail and web security.

Slides/Video/recordings:

[Slides (PDF)] [Recording (MP4)] [Recording (OGV)]

Abstract:
This talk will speak to the issues pertaining to supply chain security as is relates to global organizations and the highly interconnected nature of suppliers and corporations. The presenter will pull from personal war stories to help illustrate the need to not just worry about the main corporate security perimeter, but to address the extended perimeter and the exposures and risks that arise from the supply chain. Such aspects of an exposed supply chain include trading partner networks, code developed by offshore development centers, and outsourced help desks.

Bio:
Dave has almost two decades of industry experience. He has extensive experience in IT operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies . He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast. Dave writes a column for CSO Online and Forbes.

Slides/video recordings:
[Slides (PDF)]