OWASP Copenhagen

The Copenhagen local chapter organizes quarterly events to promote OWASP and information security in general.

We (re)started from the OWASP-Denmark local chapter with an initial event on October 25th, 2018.

Events

In this page we keep track of all past events that we organized, and is rarely updated. Go to [meetup] to check the latest events and subscribe to get the latest updates from our chapter.

If interested in giving a talk, please send a message to Alessandro Bruni.

Thursday, September 21, 2023 [meetup]

A night of Blackteaming, Supply Chain Attacks and DEFCON CTF

Brian Harris: War Stories in Physical Penetration Testing

This is going to be a talk about the how the world continues to drive full speed ahead on cyber security, but when it comes to physical security we are often around 10-20 years behind. I will show some war stories, techniques and the like to highlight just how vulnerable even high security locations are when it comes to physical penetration testing and that if you have no physical security, you have no cyber security

Brian Harris has a long career of phyiscal pen testing (aka blackteaming) behind him. He can truly do some amazing stuff that can make you stop and wonder why we even bother having locks in the first place, so obviously you don’t want to miss this!

Mikkel Rømer: Infiltrating modern companies using Supply Chain Attacks

Case: Visual Studio Code Within this session we will be deep diving into Supply Chain attacks. Supply chain attacks is a growing phenomenon, which allows the adversary to infiltrate widely whilst gaining the trust of legitimate software brands. This session will be technical. We will be designing and implementing techniques throughout the presentation until a final malware is ready for deployment. With a fully custom build malware, targeting the modern text- and code editing application Visual Studio Code, we will investigate its potential in terms of detection within top class endpoint detect and response software such as CrowdStrike Falcon and Microsoft Defender for Endpoint. We will compare the results with similar execution done via the notorious adversary framework Cobalt Strike. Brace yourself for a thrilling journey through the shadows of the digital realm, where adversaries roam undetected.

Adam Blatchley Hansen and William Ben Embarek: How to get 6th place at DEFCON CTF!

Every year the legendary hacker convention DEFCON hosts one of the oldest and most competitive cybersecurity CTF competitions in the world. This year, Kalmarunionen joined forces with teams from around the nordics as NORSECODE, and travelled to the finals in Las Vegas, where they took home a very impressive 6th place overall. In this talk Adam and William will share the story of the teams road to qualifying for, and competing at the DEFCON CTF finals. Introducing the world of “CTF” hacking competitions from the perspective of a top competitive team, and giving an inside look at what it takes to compete in international hacking competitions at the very highest level. From organisational strategies to interesting CTF challenges to internal team tooling, they’ll go over what it took for Norsecode to outperform many much larger and more experienced teams, as well as some of the more unexpected challenges they encountered along the way! Bio: Adam is a PhD student studying Cryptography at Aarhus university, as well Head Coach of Cyberlandsholdet and the current captain of Kalmarunionen and Norsecode. William is a Pentester at TDC NET, as well as being a longtime CTF player with Kalmarunionen he also handled onsite infrastructure for Norsecode during DEFCON finals in Vegas.

Wednesday, November 9, 2022 [meetup]

A night of collaboration, secure coding and -implementation

Klaus Agnoletti

Klaus will talk about how CrowdSec was able to enable the entire infosec community to work together by detecting attempts to exploit a critical 0day, reporting them centrally, thereby enabling anyone to protect themselves. CrowdSec is FOSS, collaborative threat intelligence and threat mitigation. More info at https://crowdsec.net

Sébastien Gondron

Manual code inspection is a very effective measure in detecting and preventing vulnerabilities and weaknesses. However, navigating applications that can span millions of lines of code can be an arduous task. Sébastien will share his experience and show how to make the best of static analysis tools to facilitate and enhance the manual inspection.

Linus Lagerhjelm

You have designed your application with security in mind but how do you make sure that the implementation is actually following these principles? Any sort of software system, even a simple one, usually consists of a lot of moving parts in a lot of different layers and getting everything correct can sometimes feel overwhelming. In this presentation, Linus will present a ‘checklist’ with the most important security controlls to apply in each layer of the application, from the database to the user’s client. When security is applied in every layer of the application, the impact of a vulnerability will be much smaller.

Tuesday, April 26, 2022 [meetup]

Email spoofing via marketing platforms, By Martin Sohn Christensen, Security Advisor at Improsec.

Many mechanisms exist to prevent email spoofing, such as SPF, DKIM, and DMARC, but what if these were not sufficient even when configured correctly? Martin will present known anti-spoofing mechanisms and share his research on vulnerabilities in marketing platforms that can lead to effective email spoofing for threat actors and red teams.

Kalmarunionen in a world of CTF’s, By Morten Eskildsen, Kalmarunionen

Kalmarunionen is one of the top teams when talking cybersecurity and Capture The Flag (CTF) competitions in the whole world. So in this talk we will have a deep dive into what a CTF actually is and it’s applicability to the real world. The focus will be to look at it from the viewpoint of Kalmarunionen, bringing you stories and hard-earned learnings from some of the many competitions we have been a part of. We will discuss overall tactics and shortcomings before finally diving into how it can be applied in the real world.

Thursday, February 17, 2022 [meetup]

Magnus Stubman, Senior Red Team Consultant at Mandiant and former security consultant at Improsec and F-Secure.

Magnus started his career as a software developer and later turned his attention to Cyber Security, specifically attack and penetration testing, both digital and physical. Today Magnus specialize in Red Teaming.

The ‘Initial Access’ phase is part of every intrusion, regardless if it’s a ransomware crew, nation state threat actor, or Red Team behind the attack. In Magnus’ talk, he will be deep diving into this specific phase, and deliver a case study of a particular malware payload.

Linus Kvarnhammar, a cyber security professional and hacker for over 10 years.

Linus will share some juicy details from the Swedish TV series “Hackad”. He’ll discuss how easy (or not) it is to hack private people, social media personalities and companies.

After the two talks there will be time for us to hang out and catch-up after two years captivity. Please be there at 17.00 / 5 PM. If it is your first time at ITU, you can just follow the signs that will be put up.

Tuesday, October 5, 2021 [meetup]

Dimitry: Did you just assume your product is secure?

People tend to assume things. I know I do. It’s perfectly normal, it’s how our brains evolved to work. Join me in exploring the role of assumptions in our everyday life and how that impacts the security of products we build. Or did I just assume that they do?.. Hmm.

Jonas: ImproHound Workshop: Protect your Domain Admins with tiering

It is not viable for system administrators and defenders in a large Active Directory (AD) environment to ensure all AD objects have only the exact permissions they need. It is too big of a task, why many organizations are vulnerable to AD attacks due to too loose or wrong permissions. At the same time, credential theft may lead to privileges AD users having their password stolen when they login to compromised computers. These vulnerabilities are chainable, why you in many AD environments can escalate your rights to Domain Admin no matter what computer or user you have.

Thursday, July 1, 2021 [meetup]

Scale Security by Embracing Secure Defaults and Best-practices for DevSecOps

Adam Berman : Scale Security by Embracing Secure Defaults

We’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time. Historically, as an industry, we’ve focused on building tools to identify vulnerabilities. While we’ve built impressive tools, these approaches have failed to address the challenges of modern engineering teams. Specifically, these tools often are too slow, require a prohibitive amount of security engineer time and domain expertise to tune, overwhelm users with false positives, and most importantly, do not ultimately raise a company’s security bar. But there’s another way.

When done correctly, combining secure defaults and lightweight checks that enforce invariants (properties that must always hold), organizations can solve classes of vulnerabilities by construction, preventing bug whack-a-mole. In this talk, we’ll present a practical step-by-step methodology for:

  • Choosing what to focus your AppSec resources on
  • How to combine secure defaults + lightweight invariant enforcement to eradicate entire vulnerability classes
  • How to integrate continuous code scanning into your CI/CD processes in a way that’s fast, high signal, and low friction for developers
  • How to use an open source, lightweight security linting tool to find bugs and anti-patterns specific to your company

Martin Clausen : Best-practices for DevSecOps

The presentation will show best-practices for DevSecOps (i.e. security part) and includes a case study about supply chain controls related to the Solarwinds incident.

Thursday, May 20, 2021 [meetup]

Per Thorsheim: “How I hacked the largest bank in Norway using a 1-page paper form”

We are so lucky that Per has chosen to premier his latest talk for us here at OWASP Copenhagen. So come join us for this. Per is a fantastic storyteller :-)

Back in 2019-2020 banks were running a campaign saying you should never share your BankID with anyone. Never give your OTP or password to anyone. Use a “power of attorney” (Danish: Fuldmagt) to give another person access to your bank account instead, to act on your behalf if needed. So Per Thorsheim got curious and started to investigate with a few friends. This is the story on how they found a way to gain access to probably any personal account at the largest bank in Norway, using a 1-page paper form from the bank itself.

This is not a technical talk, but a talk about UX, design & process flaws, and responsible disclosure.

Could this be possible with your bank?

Stu: Why You Should Build a Community!

Stu discusses why community is important for fostering collaboration, forming important connections, mentoring, and the great things that can happen from this.

Stu shares his experience of building an infosec community The Many Hats Club, the highs and lows, but ultimately why this is something we should all strive to do. The talk will cover the following:

  • Why communities are vital in infosec
  • How to start out
  • Platforms
  • Pitfalls and things to avoid (from my many mistakes)
  • Mentoring
  • Key achievements - 2 x cons, CTF’s, Podcasts, community projects, research, responsible disclosures etc.
  • Mods/Admins, COC etc things you cannot live without.
  • Why you should all build a community right now!
  • Q&A

Thursday, April 29, 2021 [meetup]

POST-QUANTUM DIGITAL SIGNATURES

Sahana Sridhar: https://www.linkedin.com/in/sahsridh/

Former IBM Test Specialist and Master of Science from Norwegian University of Science and Technology (NTNU). Sahana will enlighten you on the findings of her master thesis on post-quantum digital signatures based on identification schemes.

THE FAILURES OF NEMID AND THE THREAT OF QUANTUM COMPUTERS

Lars Embøll Nielsen: https://www.linkedin.com/in/qkd/

Lars will take you on a journey through the failures of NemID, the legal landscape of digital signatures in EU and why Quantum Computers can be a threat to the way we currently keep digital signatures secure.

AS ALWAYS…. … you will have the opportunity to ask questions for the participants

Thursday, March 25, 2021 [meetup]

DISCOUNT PHISH BURN BETTER and USER MODE API HOOKS AND BYPASSES

Note: THIS IS AN ONLINE EVENT! Link to stream will be released here prior to the event.

THE SPEAKER

Magnus Stubman, Security Advisor at Improsec and former security consultant at F-Secure and Zacco. https://www.linkedin.com/in/magnusstubman/

Magnus started his career as a software developer and later turned his attention to Cyber Security, specifically attack and penetration testing, both digital and physical. Today Magnus specialize in Red Teaming.

Magnus will do something we haven’t facilited in OWASP CPH before - He will do a double-presentation - to take you on a technical security ride.. Keep reading to learn more…

Thursday, February 18, 2021 [meetup]

SIEM and Elasticsearch for absolute beginners

Curious about SIEM and/or Elastic? You heard about it, but don’t really know what it is? You know what it is, but curious about what to do next? This is the talk for you! We will have a few subjects for you:

  • SIEM as a concept
  • Elastic as platform and it’s usability
  • Introduction to Elastic SIEM
  • Introduction to TheHive - a security incident response platform that can help you get the most out of your Elastic platform.

Elastic is available for free - so is TheHive. So everybody can be on board here.

Tuesday, February 16, 2021 [meetup]

Mød Alexander Krog, en af Lyrebirds ethical hackers (OWASP youth event)

Disclaimer: the event will be in Danish, targeted at students 15-25 years old. Everyone is welcome to participate.

Har du altid undret dig over hvordan livet som professionel hacker er? Måske vil du gerne være én? Mød Alexander Krog, som sammen med sit hold af hackere ”Lyrebirds” opdagede “Cablehaunt”, en kritisk sårbarhed som var i stand til at give hackere adgang til modems rundt omkring i hele verden, hvilket potentielt ville have katastrofale konsekvenser. Alex vil fortælle sin historie, hvordan han endte op som en der professionelt finder IT-sikkerhedsmæssigfe sårbarheder, hvordan de fandt det nævnte sikkerhedshul. Alex deler sit indblik og erfaring indenfor IT-sikkerheds verdenen. Efterfølgende stiller Alex op til alle dine spørgsmål på YouTube.

January 21st, 2021 [meetup]

As we move into this mid- and post-pandemic world with remote and in-office work blending, what must organizations consider, in order to sustain data and application security and privacy while still considering an efficient working- and user experience? How does remote work change the security stack mix? And what’s still missing?

We will also be diving into how innovation in cyber became a must and how that can and will support companies and users on a daily basis.

YOUR PANELISTS ARE

Lone Juul Dransfeldt Christensen, Senior Security Architect at Bang & Olufsen. Formely in NNIT and the Danish Police. https://www.linkedin.com/in/ldransfeldt/

Martin Clausen, Chief Security Architect, Head of Architecture, Research and Development at Saxo Bank. Former Head of Cyber Innovation Labs at Danske Bank. https://www.linkedin.com/in/martin-clausen/

Luke Herbert-Andersen, PhD in Computer Science. https://www.linkedin.com/in/lukeherbert/

Oksana Kulyk, Assistant Professor, Center for Information Security and Trust, IT-Universtiy of Copenhagen. Co-PI of the ASCD project (Assessment on the Status of CyberSecurity in Denmark). https://twitter.com/okskulyk/

December 10th, 2020 [meetup]

Tim Sloth Jørgensen

Program chief for cybersecurity in the Danish Industry Foundation, Chief Strategy Officer of Defence and Security at Terma A/S, advisor to the Danish Ministry og Defence, professor at Copenhagen Business School, former Chief of the Danish Defence. https://www.linkedin.com/in/tim-sloth-jorgensen-3b199a23/

Tim will share his insights based on several years of first-hand experience, and will tell us about what they are looking for when investing in new cybersecurity projects - What is he anticipating? Is he hopeful or concerned for the future?

Rasmus L. Fruergaard-Pedersen, Security Software Engineer at Kamstrup

(https://www.linkedin.com/in/rfruergaard/)

Rasmus enables the business to use security correctly. Innovation in software, sensors and communications is what the company Kamstrup is associated with, but how do they ensure a sufficient security stance across a business spanning that wide? Rasmus will talk briefly about technical security champions, business security principles and how to ensure a common understanding of what security is acceptable.

What will you learn from this talk? Translating technical security to business risk; Making security a competitive parameter; Questions to ask when wanting to secure a product in a complex business environment.

November 18th, 2020 [meetup]

A Night of Fraud and Deception

This time we will be focusing on fraud - primarily past, present and future of fraud and related crime in Denmark. The event will feature talks from Sune Gabelgård, Fraud Crusader at https://www.mobilepay.dk/ and Ketil Clorius, Head of Global Fraud Management at https://danskebank.dk/. We’ll talk about juicy, crazy mindblowing case studies and methods used by threat actors. History and future will also be touched upon.

May 5th, 2020 [meetup]

“Going Phishin’ with GoPhish” by Alethe Denis and Patrick Laverty

Want to learn how to put together a phishing campaign? Great, let’s do it. We will use the free and open-source tool GoPhish to launch campaigns. We’ll show how to install, set up GoPhish, create each of the necessary pieces and launch. We’ll also talk about pretexts and how “mean” should we be, and mix in some stories of phishing successes and failures.

April 16th, 2020 [meetup]

Claus Vesthammer

Ethics and philosophy, politics and procedures. Experiences with the framework of responsible disclosure, positive and negative from the real world. Common problems regarding detection of vulnerabilities vs. hacking.

Magnus K Stubman

Magnus will then provide a quick introduction to finding file permissions and privileged escalation vulnerabilities (DLL hijacking, etc.) in Windows with procmon, accessenum, ghidra and IOninja. And review related selected CVEs, our own and others.

Sticks & Stones, Breaking Bones, by Lucas Lundgren

Experiences in pentesting medical devices, including DICOM and PACS machines. References here: https://www.linkedin.com/pulse/sticks-stones-breaking-bones-lucas-lundgren/ https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/

January 30th, 2020 [meetup]

Clickshare [slides]

Dmitry Janushkevich from F-Secure will talk about major vulnerabilities found in ClickShare. More info on https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/

Cable haunt: [slides]

Researchers (mostly) from Lyrebirds found critical vulnerabilites found in various cable modems. They will talk about what they found and a bit on how. More info at https://cablehaunt.com/. Prior to the meeting it’s possible to join #chapters-copenhagen in the OWASP slack (invite link below) and ask questions and suggest topics to cover. So please do so.

DMARC (and friends): [slides]

Dennis Kjær Jensen (or just SiGNOUT) will tell you about DMARC, SPF and all the other email extending security features that you simply have to have enabled on your domain to not look to much like a fool now that it’s 2020 and those vulnerabilities have been around forever now. After that Kevin Kruse will tell you what he has done to secure his own email domain (via Proton Mail) and hopefully inspire you to do the same.

36c3 wrap-up: [slides]

Denis Smajlović will tell us about his (mis)adventures on his recent trip to Leipzig and 36c3.

Backdoors & Breaches:

Klaus Agnoletti will introduce you to ‘Backdoors & Breaches’, a card game designed to train the incident response process. After pizza I’ll set up a few gaming sessions. If you got a game at BSides København already, please bring it along with a 20-sided dice. If you don’t have it, fear not, I have a few games left that I’ll give away.

November 25th, 2019 [meetup]

Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web

Speaker: Alex Halderman

Abstract: Let’s Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let’s Encrypt has grown to become theworld’s largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let’s Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME,the IETF-standard protocol we created to automate CA–server inter-actions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let’s Encrypt’s impact on the Web and the CA ecosystem. We hope that the success of Let’s Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.

Social Engineering For Physical Intrusions

Speaker: Sarka “the pirate queen”

Objectives: Objective is to let people understand what are different social engineering exploits that can be used against them, their employees or their loved ones. After holistic approach of different human attack vectors I use for my social engineering attacks for physical intrusions, I will step to the defensive side to let the audience understand what controls to put in place to stop a real malicious attackers.

Description: Social Engineering has many different faces from using open source intelligence (OSINT), phishing, vishing, smishing and all the other ‘-ishings’,dropping weaponized USB flash drives to eventually getting right in middle of your target’s own office! As there are many tools and described ways of all the -ishings, but almost all of them do not require any interaction with target. And I would like to focus on physical intrusions. If you are interested how I break into buildings like a pirate queen, I will explain how to interact with our target directly and that requires certain knowledge of techniques and skills.

There are many different skills and techniques while approaching a human target and testing their security. I would like to look at different human attack vectors.I also look at how to use this knowledge to not only understand world around us and better our own situational awareness, but I also explain why this is a fun topic we should teach our employees that would help with defending our company but also our loved ones. I like to uncover my offensive thinking while using facial expressions , body language or psychology research but I also see myself though someone else’s eyes, who’s daily bread is defending networks and tries to understand human factor while deploying defense in depth at work.

August 29th, 2019 [meetup]

Reporting on BSides Las Vegas and DEF CON

Presenter: Christian Dinesen, NNIT

Approaching Bluetooth in 2019

Presenter: Martin Schroter Abstract: Although Bluetooth has been around for the better part of 30 years, we keep innovating on the technology and new uses are found every year. I want to cover: vulnerabilities in Bluetooth 1 up to 5; understanding the cryptography of Bluetooth; going over the considerations your company needs to make, when you decide to adopt Bluetooth into your infrastructure; know your tools Ubertooth sniffing, btlejuice, btlejack, gattacker; jamming Bluetooth drones mid air! Can we really trust this technology and what are the challenges?

Experiences in OSINT

Presenter: Bjarne Tersbøl, Special Advisor at Konkurrence- og Forbrugerstyrelsen / Danish Competition and Consumer Autority

May 27th, 2019 [meetup]

Security in LPWAN IoT, a comparison (SigFox, LoRaWaN, NB-IoT)

Name: Florian Coman Bio: Security Analyst at TDC, MSc in Telecommunication at DTU Abstract: I’ve investigated the security features and possible vulnerabilities of some LPWAN IoT technologies: the license-free SigFox and LoRaWAN and the cellular NB-IoT. I have looked at their End-to-End architecture (from end-device to application server) and I will present some of my findings during the talk.

“Just Hacker Things with Jayson”

Name: Jayson E. Street (http://jaysonestreet.com/) Abstract: Instead of a usual talk, this will be an open discussion. He will share several stories of his travels & exploits (focused around Social Engineering where Jayson has mnay years of experience) but mostly will be there to answer questions about hacking, blue team, red team and DEF CON Groups! So come with questions and expect a few answers and a lot of great hugs!

March 28th, 2019 [meetup]

XSSER: From XSS to RCE 3.0 [slides]

Abstract: This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes more payloads for common web apps and various other improvements too!”
Author: Hans-Michael Varbaek / TDC Group

October 25th, 2018 [meetup]

An ice-cold Boot to break BitLocker [slides]

Authors: Olle Segerdahl & Pasi Saarinen / F-Secure

Sponsors

Local News

Meeting Locations: IT University of Copenhagen, Copenhagen Business School

Everyone is welcome to join us at our chapter meetings.