BSides Ume 2023

26 Jun 2023, 19:00 → 27 Jun 2023, 21:00 Europe/Copenhagen

Aula Biologica (Umeå University)

Mattias Wadenstein (NeIC)

The first BSides conference in Umeå, Sweden in the summer of 2023.

 

The 2024 event is at https://indico.neic.no/event/258/

 

The conference will take place on June 27th.

 

Keynote: Leif Nixon: How to Hack a Country - *a practical guide*

 

Gold sponsor: Omegapoint

 

Silver sponsor: NetNordic

Bronze sponsor: Sartorius

Monday, 26 June

19:00 Pre-drinks at Omegapoint - separate registration required!

Pre-drinks at Omegapoint for BSides Ume participants, register separately by 2022-06-22 required to participate.

Tuesday, 27 June

09:00 Registration and morning coffee

Talks: Morning

1 Welcome and practical matters

Welcome, and a brief rundown of practical matters and the rough schedule.

Speaker: Mattias Wadenstein (NeIC)

20230627-PracticalMatters.pdf

2 Keynote: How to Hack a Country - *a practical guide*

Cyber Warfare is a pretty vague concept. Often it is used intentionally vaguely, because it is a good way to get funding. It is a big, scary phrase. Our Cyber Warriors need umpteen millions to Cyber Defend the nation against Cyber Warfare.

But what does it mean in practice? How could you hack a country? How would I hack a country? We will discuss real-life attacks and vulnerabilities, past, present and future, in order to gain a better understanding of the realities behind the big words.

Speaker: Leif Nixon (Nixon Security)

3 Likelihood of Failure

Risk management is at the core of what we do in security, and yet is used as much of an excuse not to pursue security as to follow it.

This talk will look at removing likelihood from the risk management equation and taking a whole new approach in communicating risk. Instead of heatmaps or four by four boxes, we will look at assessing risks through scenario exercises to determine if the impact of the event is acceptable and requires no action, or not acceptable and needs controls applies.

Most importantly, we'll look at using scenarios without resorting to FUD (fear, uncertainty, and doubt) to highlight genuine concerns without diving into hyperbole.

Speaker: Mr James Bore

4 I’m ok, you’re ok, we’re ok: Living with AD(H)D in infosec

I was diagnosed with AD(H)D almost three years ago, aged 44. Getting the diagnosis and being able to get proper medicine meant the world to me; suddenly I understood all those symptoms and I was able to function remarkably better. Better understanding also meant that I got more insight to why it was becoming increasingly harder for me to get and keep a job. So something had to happen.
I’ve been an infosec professional for almost 20 years but after my diagnosis I moved to community marketing which basically meant doing the sparetime thing I love as a living. In December 2022 I was fired again and by then I knew I had to make yet another career change and make a career for myself that works better for me. Keep getting fired is obviously not sustainable. My (wise) wife said “You can’t talk about having ADHD and the challenges you have without acting upon them”. So I decided to go freelance in infosec probably after realizing that would probably work best for me.
So this is what this talk is about: Regardless of mental diagnoses or not you should always go for what makes you happy. And especially when being mentally challenged it’s extremely important to know what the challenges are so you can mitigate them. It’s also about ADHD, what it’s really about, what the symptoms are and that you only have one life so it’s important to make the best of it.
By doing this talk I hope to spread knowledge about ADHD and break down taboos about it so more people can be helped and help themselves. I hope you want to hear it and that my experiences and story can inspire and help you!

Speaker: Mr Klaus Agnoletti

12:00 Lunch at Hansson & Hammar, IKSU

Talks: After lunch

5 An In-depth Study of Java Deserialization Exploits

Deserialization is a technique based on rebuilding instances of objects from a byte stream. It can open applications to attacks such as remote code execution (RCE) if the data to deserialize originates from an untrusted source. Deserialization vulnerabilities are so critical that they are in OWASP’s list of top 10 security risks for web applications. This is mainly caused by unwise decisions made during the development process of applications and by flaws in their dependencies such as libraries. In this talk we dissect Java deserialization vulnerabilities and discuss the analysis of gadgets based on 19 publicly known exploits. We observe that the modification of one innocent-looking detail in a class – such as making it public – can already introduce a gadget. Furthermore, 37.5% of the gadgets are not patched, leaving them available for future attacks.

Speakers: Alexandre Bartel (Umeå University), Mr Glenn Jansson

6 Threat modeling: The single most effective security habit your team should start doing

From it's inception in the nineties where threat modeling was an artifact-heavy beast and mostly used as a formality, the method is now a light-weight conversation and design tool used directly by the development teams.

In this session I will show you how you can lead your team to new insights about the system you're building and an understanding of the surrounding threat landscape, using just a whiteboard and a few simple questions.

Speaker: Markus Örebrand (OWASP)

14:30 Afternoon coffee break

Talks: Last

7 Quantum computers -the end of all encryption. Or?

The development of quantum computers has gain increased attention over the
last years, not least because of this year's Nobel Prize in Physics.
Quatum computers are often portrayed as a major threat against modern crypto
system and therefore also a threat against fundamental
security mechanisms that we all depend on in our modern connected world.

In this talk, we will learn how quantum computers operates,
which type of crypto systems that are vulnerable (and not), and why quatum
encryption is not the solution to the problem.

And, of course, we will answer the million-dollar question; When will the
first crypto-breaking quantum computer see the light of day?

Speaker: Jens Bohlin (Tutus Data)

8 Regaining Privacy with Self Sovereign Identities

Hur kan du bevisa att du är du? Hur kan du bevisa att du tagit en viss examen från ett visst universitet? Hur gör du detta i en digital kontext, där du inte ens träffar din motpart? Hur kan du veta att du kan lita på äktheten av ett digitalt dokument? Och hur kan du göra allt detta helt anonymt?

I denna föreläsning kommer jag berätta om ett knippe tekniker som besvarar alla ovanstående frågeställningar samtidigt. Tekniker som möjliggör byggandet av säkra system, med hög tillit och där användarna har full kontroll över sin egen data.

Speaker: Linus Lagerhjelm (Omegapoint)

9 Closing Remarks

Speaker: Mattias Wadenstein (NeIC)

20230627-ClosingRemarks.pdf

19:00 Dinner at Sjöbris