BSides Ume 2025

10 Jun 2025, 09:00 → 11 Jun 2025, 17:40 Europe/Copenhagen

KBE303 - Stora Hörsalen (KBC building, Umeå University)

Keynote speaker: Emelie Ohlson: Compliance-as-Code: how to do regulated business using public cloud

Remote keynote: Wendy Nather: Falling Off the Edge, and How to Help

The third BSides Conference in Umeå, Sweden will take place June 10th to 11th. It is a community conference on IT security and related fields, part of the global BSides community and is arranged by Academic Computer Club in Umeå.

Registration closing 2025-05-31! After this late registration might be possible for a while, but will no longer include dinner.

 

Previous events are available here: https://indico.neic.no/category/29/

For more interactions and micro updates, follow us on Mastodon or join our slack server

Gold sponsors: Omegapoint

Silver sponsors: NetNordic 

Truesec

Bronze sponsors: PentesterLab

Tuesday 10 June

09:00 → 10:00 Registration and coffee

10:00 → 12:00 Talks

10:00 Welcome and Introduction

Opening remarks from the organizers with practical information.

Speaker: Mattias Wadenstein (NeIC)

10:15 Compliance-as-Code: how to do regulated business using public cloud

Moving to the public cloud should not feel like navigating a maze of
roadblocks - yet for DevOps teams in regulated industries, that is often the
reality. Compliance, risk, legal, and information security teams frequently
operate in silos, slowing down DevOps teams' ambition to deliver innovation
at speed. In this session, we will explore how Compliance-as-Code can unify
these efforts, turning governance into a growth enabler rather than an
obstacle. I will show why compliance-as-code is essential, how it is an
argument for lowering risk and accelerates cloud adoption - empowering your
teams to focus on what matters most: delivering business value.

Speaker: Emelie Ohlson

11:15 Modern Windows Software Cracking by a GNU Linux hacker

In this talk, I will walk you through my journey of reverse engineering and cracking a binary protected by a modern licensing software stack named CryptLion.

The presentation will be structured into three main sections, going from my first observations (as a hacker more used to exploit Linux binaries than Windows executables) to successfully creating my own version of the program without any kind of license verification.

1. Reconnaissance:
   I’ll begin by explaining how I identified the protections put in place to protect this program. This includes the techniques I used to analyze the file structure, extract meaningful information, and gather insights from online resources about CryptLion. Understanding the binary’s composition was the first step in unraveling its secrets.

2. Understanding the code and CryptLion's SDK:
   Next, I’ll dive into the CryptLion SDK to understand how it operates. By comparing the SDK’s (and its library) functionality with the binary in hand, I was able to identify a potential vantage point. This phase involved dissecting the code to map out its behaviour and identify vulnerable points.

3. Binary exploitation : the actual cracking:
   Finally, I’ll share my exploitation strategy, including the techniques I employed. I’ll discuss what worked, what didn’t, and the lessons learned along the way. This section will also cover some reverse-engineering insights into CryptLion’s inner workings and how they were leveraged to achieve the final crack.

This talk will provide a comprehensive look at the methodologies, challenges, and successes of reverse-engineering a CryptLion-protected binary, offering valuable insights for crackers and defenders who'd like to assess their own licensed software.

Speaker: Jeremie A

12:00 → 13:00 Lunch

13:00 → 15:15 Talks

13:00 Bypassing Dynamic Taint Analyzers

Dynamic taint analysis (DTA) is widely used to detect information flow
vulnerabilities by tracking the propagation of taint tags at runtime.
However, existing DTA approaches rely on the assumption that the underlying
type system is secure. In reality is it often not the case. In this
presentation we will look at how attackers can manipulate object types and
directly alter taint labels, effectively bypassing taint tracking
mechanisms.

Speaker: Yufei Wu

13:45 From p0f to JA4+: Network Fingerprinting and Reconnaissance

As scanning and reconnaissance grows more diverse - from public platforms like Shodan and Censys to hidden probing by botnets and bulletproof hosting services-security teams need better ways to understand who is on the other side of their network connections.

This talk will show how network fingerprinting has developed over time, starting with tools like p0f and moving up to more advanced methods like JA4, JA4+, and MuonFP. We’ll discuss how these modern fingerprints can help analysts recognize the tools and infrastructure used by attackers—whether they are fast scanners, basic banner grabbers, or connections routed through VPNs and jump servers.
You’ll learn how to use these fingerprints to strengthen your defenses, protect critical infrastructure, and reduce your visibility to public scanners. We will also explain how to fit fingerprinting into security team workflows, noting both what it can and cannot do.

Attendees will leave with a practical understanding of modern fingerprinting techniques and a few examples they can apply in their daily work.

Speaker: Vlad Iliushin (ELLIO)

14:30 Towards Interpretable Android Malware Detection with Transformer-Based Models

As Android continues to dominate the global mobile market, cybercriminals
increasingly target its vast user base with sophisticated malware. In this
presentation, we propose an interpretable framework for Android malware
detection that leverages language model to analyze a range of
features—including app manifests, API calls, and opcode sequences. By
integrating feature analysis techniques, our approach not only achieves high
detection accuracy but also provides critical insights into which features
drive classification decisions. We will share empirical results
demonstrating the method’s effectiveness on real-world datasets, discuss the
benefits of interpretability for security practitioners, and explore how
these findings can inform the next generation of mobile threat defense
systems.

Speaker: HANTANG ZHANG (Umeå University)

15:15 → 15:45 Coffee break

15:45 → 17:45 Talks

15:45 Using the OWASP Top 10 to Save the Astronauts from HAL

A discussion of the OWASP ML Top 10 and OWASP LLM Top 10, and how a failure to apply these principles in 2001 A Space Odyssey, led to implementation flaws in HAL 9000, resulting in disastrous consequences for the crew.
There will be a discussion of failures to consider different aspects of both the LLM and ML top 10 during HAL's design and training phases, and the subsequent attempts to implement fixes during the mission. Each omission or failure to apply an OWASP principle, that led to the vulnerabilities will be discussed in detail, and also related to real life applications, to ensure the talk isn't just a geeky discussion of a cool-looking scf-fi AI.

Speaker: Nick Dunn

16:45 Falling Off the Edge, and How to Help

The difference between being reasonably able to run a security program and falling below the cyber poverty line can be one year's budget cuts, a business event, a breach, a pandemic or a war. How can we help prevent organizations from falling over the edge, or lift up those who can't even see the edge from where they are? In this session, we'll talk about new initiatives, what more is needed, and how you can help no matter where you sit.

Speaker: Wendy Nather

19:00 → 21:00 Dinner

Wednesday 11 June

09:00 → 10:30 Talks

09:00 Is Your Phone Spying on You? An In-Depth Analysis of Vulnerabilities in Cisco VoIP Phones

Do you trust the embedded devices around you? Perhaps you shouldn't! Even industry giants make significant mistakes. In this presentation, we will analyse Cisco's VoIP phones, that can be found in offices, governmental buildings, and even the White House. These devices were found to have critical vulnerabilities, including easily exploitable flaws.

Fun Fact: Did you know that President Biden and Trump used these phones?

Among the vulnerabilities discovered was unauthenticated packet capture, allowing attackers to intercept and listen to any phone call made or received on the device. We'll demonstrate live how simple it is to intercept, reconstruct, and listen to a phone call.

This presentation will dive into other issues uncovered during the blackbox testing of these devices. We'll also discuss what Cisco could have done differently to prevent these vulnerabilities and provide guidance on how to avoid similar pitfalls. Additionally, we are going explore the challenges and importance of thorough blackbox testing.

Join us for a comprehensive look at the security flaws in trusted devices and learn how to protect against them.

Speaker: Balazs Bucsay (CEO & Founder)

09:30 Tales from Incident Response: Unmasking the Threat Actor’s Inner Sanctum

Imagine if you could watch every step they taken… Unmasking a threat actor activity is sometime like deciphering an ancient manuscript, but what if you can see every move and control when to strike the pause.

This session is not about log analysis, or following the breadcrumbs left by an elusive adversary. It is about having a full timeline of the threat actors machine and knowing exactly what was done without assumptions or guessing!

Speaker: Hasain Alshakarti (TRUESEC)

10:30 → 11:00 Coffee break

11:00 → 12:15 Talks

11:00 Weaponized Open-Source Applications: Real-Life Cyberattack Scenarios

An analysis of one case, together with an analysis of other similar campaigns identified that use malicious advertisements to distribute weaponised open-source software. A walkthrough of one case from start to finish: how the malware was distributed, how the malware worked, what indicators were found by the malware analysis, and what was the motive of the threat actor?

Speaker: Juho Jauhiainen (Accenture)

11:30 Apropos DeepSeek

DeepSeek is an open LLM model promising innovation in both efficiency and transparency – but how much do we really know about what’s happening under the hood? And what does it tell us about where we are in AI development?

In this session, we examine DeepSeek from two perspectives:

Security and risk: What challenges arise when an AI model is built and distributed openly? What does this mean for reliability, integrity, and control? What risks come with DeepSeek’s Chinese origins, and how does that affect trust in the model?
Technical architecture and efficiency: Has DeepSeek truly broken new ground, or is it just another example of solving inefficiency by throwing more hardware at the problem?
We’ll explore the technical details of Mixture of Experts (MoE), parallelization strategies, and why LLMs still resemble steam engines – powerful but wasteful. We’ll also discuss a fundamental limitation of today’s transformer-based AI: that a model’s performance is closely tied to data availability, which in turn dictates how large and effective it can actually become. Finally, we’ll look at why the AI industry – DeepSeek included – remains so reluctant to be transparent about training methods and optimization.

Join us for a deep dive into both the risks and possibilities of open-source LLMs!

11:00 → 12:15 Workshops

11:00 Defeating Encryption By Using Unicorn Engine

Software Reverse-Engineering (SRE) is often considered black magic, but with the right tools and knowledge, its processes can be significantly accelerated. Unicorn Engine is a powerful framework that allows you to execute code platform-independently, which can greatly enhance your SRE skills.

Applications, binaries, and frameworks often contain complex functionalities like encryption and decryption methods that are hidden from the user. Reverse-engineering these can be difficult and time-consuming, especially when they involve non-standard, proprietary or non-documented cryptographic functions. This is where Unicorn Engine comes in. It enables us to execute code dynamically without the need for the proper environment or hardware. By emulating the execution, we can analyse and understand the underlying operations, making the reverse-engineering process more effective.

With Unicorn Engine, you can dissect and manipulate code in a controlled environment. Whether you are dealing with malware analysis, software debugging, or vulnerability research, Unicorn Engine is an awesome tool in your reverse-engineering toolkit.

This training will focus on reverse-engineering one or more binaries with Ghidra. Participants will identify various encryption or obfuscation functions and write code for Unicorn Engine in Python to utilise these functions without ever executing the binary.

No special knowledge is required, but familiarity with Python, Ghidra, and assembly would be beneficial. The training will introduce Unicorn Engine to the audience and explain it in depth.

Speaker: Balazs Bucsay (CEO & Founder)

12:15 → 13:15 Lunch

13:15 → 15:00 Workshops

13:15 Android application instrumentation with FRIDA

Summary
This training is designed for individuals who wish to initiate their journey into mobile app instrumentation, particularly for Android applications. Upon completion of this training, participants should be proficient in the following skills: enumerating loaded classes with Frida, listing methods and properties of a class, hooking the target function, dumping function parameters, manipulating instances, modifying parameter values, and altering function behavior.

Throughout the training, we will guide attendees through the dynamic instrumentation process, clarifying its functioning within the Android ecosystem using FRIDA. We will assist them in configuring their devices/VMs to establish a functional environment before delving into the actual training. The training level is set to cater to beginners to intermediate skill levels.

---

Duration: 4 Hours

---

Instructors

• Jaimin Gohel
• Nishith Khadadiya

---

Past experience:

• https://null.community/events/961-ahmedabad-humla-weekend-day-2#event_sessions
• http://nsconclave.net-square.com/2023/mobile-app-instrumentation-with-frida-jaimin.html
• https://www.udemy.com/course/hacking-android-applications-for-bug-bounty-and-pentesting

---

Detailed training material: https://github.com/jaimingohel/frida-workshop/wiki/1.-Introduction

Speakers: Jaimin Gohel (HackerOne), Mr Nishith Khadadiya

Tools and Setup.png

Workshop WIKI

13:15 Defeating Encryption By Using Unicorn Engine pt 2

Software Reverse-Engineering (SRE) is often considered black magic, but with the right tools and knowledge, its processes can be significantly accelerated. Unicorn Engine is a powerful framework that allows you to execute code platform-independently, which can greatly enhance your SRE skills.

Applications, binaries, and frameworks often contain complex functionalities like encryption and decryption methods that are hidden from the user. Reverse-engineering these can be difficult and time-consuming, especially when they involve non-standard, proprietary or non-documented cryptographic functions. This is where Unicorn Engine comes in. It enables us to execute code dynamically without the need for the proper environment or hardware. By emulating the execution, we can analyse and understand the underlying operations, making the reverse-engineering process more effective.

With Unicorn Engine, you can dissect and manipulate code in a controlled environment. Whether you are dealing with malware analysis, software debugging, or vulnerability research, Unicorn Engine is an awesome tool in your reverse-engineering toolkit.

This training will focus on reverse-engineering one or more binaries with Ghidra. Participants will identify various encryption or obfuscation functions and write code for Unicorn Engine in Python to utilise these functions without ever executing the binary.

No special knowledge is required, but familiarity with Python, Ghidra, and assembly would be beneficial. The training will introduce Unicorn Engine to the audience and explain it in depth.

Speaker: Balazs Bucsay (CEO & Founder)

13:15 Learn DNS using Python

DNS is a complex topic which many developers do not understand. People hear about one or two IP addresses of DNS servers which others are using and then they themselves start using them everywhere.

This workshop is a mix of history + current tools + code using existing Python modules to learn about how various parts of the DNS ecosystem work. We learn about how DNS actually works to how a resolver works, to even writing our own small authoritative dns server.

I already presented the first round of the workshop in the local Stockholm Python User group and planning to do a few more rounds of the workshop in Sweden and nearby places to smaller technical students and related groups. This helps to fine tune the workshop and have better flow ready.

Speaker: Kushal Das (Sunet)

13:15 Mobile Device Forensics 101

This workshop will give an introduction to mobile device forensics on iOS and Android devices using open source tools. Participants will learn how to acquire the data and where to find the most important bits and pieces related to the goal of the investigation. Participants will also have an opportunity to test their new skills in a CTF.

Speaker: Timo Miettinen

15:00 → 15:30 Coffee break

15:30 → 17:30 Workshops

15:30 Android application instrumentation with FRIDA pt 2

Summary
This training is designed for individuals who wish to initiate their journey into mobile app instrumentation, particularly for Android applications. Upon completion of this training, participants should be proficient in the following skills: enumerating loaded classes with Frida, listing methods and properties of a class, hooking the target function, dumping function parameters, manipulating instances, modifying parameter values, and altering function behavior.

Throughout the training, we will guide attendees through the dynamic instrumentation process, clarifying its functioning within the Android ecosystem using FRIDA. We will assist them in configuring their devices/VMs to establish a functional environment before delving into the actual training. The training level is set to cater to beginners to intermediate skill levels.

---

Duration: 4 Hours

---

Instructors

• Jaimin Gohel
• Nishith Khadadiya

---

Past experience:

• https://null.community/events/961-ahmedabad-humla-weekend-day-2#event_sessions
• http://nsconclave.net-square.com/2023/mobile-app-instrumentation-with-frida-jaimin.html
• https://www.udemy.com/course/hacking-android-applications-for-bug-bounty-and-pentesting

---

Detailed training material: https://github.com/jaimingohel/frida-workshop/wiki/1.-Introduction

Speakers: Jaimin Gohel (HackerOne), Mr Nishith Khadadiya

15:30 Learn DNS using Python pt 2

DNS is a complex topic which many developers do not understand. People hear about one or two IP addresses of DNS servers which others are using and then they themselves start using them everywhere.

This workshop is a mix of history + current tools + code using existing Python modules to learn about how various parts of the DNS ecosystem work. We learn about how DNS actually works to how a resolver works, to even writing our own small authoritative dns server.

I already presented the first round of the workshop in the local Stockholm Python User group and planning to do a few more rounds of the workshop in Sweden and nearby places to smaller technical students and related groups. This helps to fine tune the workshop and have better flow ready.

Speaker: Kushal Das (Sunet)

15:30 Mobile Device Forensics 101 pt 2

This workshop will give an introduction to mobile device forensics on iOS and Android devices using open source tools. Participants will learn how to acquire the data and where to find the most important bits and pieces related to the goal of the investigation. Participants will also have an opportunity to test their new skills in a CTF.

Speaker: Timo Miettinen

17:30 → 17:40 CTF prize ceremony

Speaker: Mattias Wadenstein (NeIC)