Welcome and practical matters for BSides 2024
In today's cloud-driven landscape, Microsoft Azure and 365 (M365) have become essential tools for businesses worldwide. However, beneath their user-friendly facades lie a landscape rife with potential threats stemming from default configurations. Through years of attacking Microsoft cloud environments during red team engagements I have found commonalities across many companies where...
Passwords are out! So of course you do not need to manage them anymore. Passkeys, on the other hand, are the talk of the town as well as the topic of this talk.
If you have heard about passkeys before and are curious to know more about them then this talk has got you covered. If you haven’t heard about them before but want to stay a jour, then this talk is a must.
This talk will be a...
EISCAT Scientific Association are currently building EISCAT 3D, the next generation research radar on the Northern European mainland.
This is a research infrastructure that will significantly enhance the capabilities of ionosphere and near Earth space research. The design and complexity of the system rise challenges that are new to our research communities but more commonly encountered in...
Ever since the introduction of chroot() in the late 70s the concept of jailing locking down services have been a choice for the security minded to introduce damage prevention to their services. It's always better to write secure services rather than just locking them down, but it's not always possible, and the addition of jailing can be a good second line of defence against unknown...
django-ca is a feature rich certificate authority written in Python and maintained for around 10 years. As I write this talk submission, I am working with the maintainer to add HSM support to the application, so that it can be used inside of Sunet and various other security sensitive installations.
A related blog post:...
A decade ago, the Mirai DDoS botnet was the biggest seen with a capacity of roughly 600 Gbit/s packet floods. The week after the high-profile attack on krebsonsecurity, they pointed the direction at a Libera Chat (at the time known as "Freenode") IRC server hosted by Academic Computer Club at Umeå University.
This talk gives a brief overview on how the network providers SUNET and NORDUNet...
THIS WORK HAS BEEN ACCEPTED AND PRESENTED AT IEEE SECDEV 2023
Android is an operating system widely deployed
especially on devices such as smartphones. In this paper, we study
the evolution of OpenJDK Java Class Library (JCL) versions
used as the basis of the Dalvik Virtual Machine (DVM) and
the Android Runtime (ART). We also identify vulnerabilities
impacting OpenJDK JCL versions...
and creates many new ones. The federation team at SUNET manages the Swedish identity federation for higher education (SWAMID). We are also involved with the eduGAIN inter federation and in some new EU projects looking into [Verifiable credentials][1] as basis for a digital wallet. Another area of development is OpenID Federation, an extension to OIDC to allow federation. This will allow us to...
Should law enforcement use hacking tools? Is XSS dead? And which one is the greatest threat to security: AI or the EU?
In this session our panelists will tackle controversial topics with their wit and wisdom, from hacking ethics to encryption, privacy and those lazy programmers.
Insecure deserialization is regarded as one of the OWASP Top 10 software vulnerabilities. While requiring somewhat complex exploitation prerequisites, the impact of exposing this type of vulnerability is severe, often leading directly to remote code execution. The attack model is based on self-executing methods, invoked during the native deserialiaztion process - so-called gadget chains....
This lighting talk will showcase some dangers of technology on human society, from history to modern time.
Memory corruption vulnerabilities still allow compromising computers through software written in a memory- unsafe language such as C/C++. This highlights that mitigation techniques to prevent such exploitations are not all widely deployed. In this paper, we introduce SeeCFI, a tool to detect the presence of a memory corruption mitigation technique called control flow integrity (CFI). We...
In my talk, I'll dive into the world of game-based learning in cybersecurity, showcasing HackBack - a unique framework that blends role-playing game elements with security training. I'll explain how HackBack revolutionises traditional methods by providing immersive, risk-free simulations of security situations, both offensive and defensive, making it ideal for teaching concepts like Zero Trust...
