Back to OWASP Gothenburg Day 2015
- 1 Mario Heiderich (@0x6D6172696F)
- 2 Michele Orrù (@antisnatchor)
- 3 Marie Moe (@MarieGMoe)
- 4 Martin Johns (@datenkeller)
- 5 Rikard Bodforss (@rbodforss)
- 6 Martin Knobloch (@knoblochmartin)
- 7 Sean Duggan (@Duggan4Sean)
Mario Heiderich (@0x6D6172696F)
Dr. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than.
He leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled PowerPoint-slides and a lot of FUD.
An Abusive Relationship with AngularJS – About the Security Adventures with the "Super-Hero" Framework
Michele Orrù (@antisnatchor)
Michele Orrù a.k.a. antisnatchor is the lead core developer and smart-minds-recruiter for the BeEF project. Michele is also the co-author of the "Browser Hacker's Handbook." He has a deep knowledge of programming in multiple languages and paradigms, and is excited to apply this knowledge while reading and hacking code written by others. Michele loves lateral thinking, black metal, and the communist utopia (there is still hope!). He also enjoys speaking and drinking at a multitude of hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra AllStars, OWASP AppSec USA, 44Con, EUSecWest, Ruxcon, InsomniHack, PXE, BlackHat and more we just cant disclose. Besides having a grim passion for hacking and programming, he enjoys leaving his Mac alone, while fishing on saltwater and praying for Kubricks resurrection.
Dark FairyTales from a Phisherman (Vol. III)
Phishing and client-side exploitation DevOps for all your needs. Combine BeEF, PhishingFrenzy and your fishy business to automate most of the usual phishing workflow while minimizing human interaction. Multiple real-life phishing engagements will be discussed, together with the shiny new BeEF Autorun Rule Engine.
Marie Moe (@MarieGMoe)
Dr. Marie Moe is passionate about incident handling and information sharing, she cares about public safety and securing systems that may impact human lives, this is why she has joined the grassroots organization “I Am The Cavalry”. Marie is a research scientist at SINTEF ICT, and has a Ph. D. in information security. She has experience as a team leader at NorCERT, the Norwegian national CERT. Marie also teaches a class on incident management and contingency planning at Gjøvik University College in Norway. Marie loves to break crypto protocols, but gets angry when its in her own body.
Unpatchable - Living with a Vulnerable Implanted Device
My life depends on the functioning of a medical device, a pacemaker that generates each and every beat of my heart. This computer inside of me may fail due to hardware and software issues, due to misconfigurations or network-connectivity.
Yes, you read that correctly. The pacemaker has a wireless interface for remote monitoring and I am forced to become a human part of the Internet-of-Things. As a seasoned security-professional I am worried about my heart’s attack surface.
This talk will be focused on the problem that we have these life critical devices with vulnerabilities that can’t easily be patched without performing surgery on patients, my personal experience with being the host of such a device, and how the hacker community can proceed to work with the vendors to secure the devices.
Martin Johns (@datenkeller)
Dr. Martin Johns is a research expert in the Security and Trust group within SAP SE, where he leads the Web application security team. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium he earned his living as a software engineer in German companies. He is board member of the German OWASP chapter, holds a Diploma in Computer Science from University of Hamburg and a Doctorate from the University of Passau. Martin is a regular speaker at international security conferences, incl. Black Hat, the OWASP AppSec series, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, or the CCC Congress.
Your Scripts in My Page - What Could Possibly Go Wrong?
When it comes to web security, there is the one policy to rule them all: The Same-origin Policy. Thanks to this policy, sites hosted on disjunct origins are nice and cleanly separated, thus preventing the leakage of sensitive information into the hands of unauthorized parties. Unfortunately, HTML predates the Same-origin Policy and, thus, was not designed with the origin-based security model in mind. In consequence, HTML tags can freely reference cross-domain locations and include cross-domain content in their hosting web pages.
In this talk, we will present an attack, resulting from this circumstance, that has been widely overlooked in the past but affects a surprisingly high number of Web sites: Information leakage via cross-domain script inclusion.
Rikard Bodforss (@rbodforss)
Rikard Bodforss is working for the city of Gothenburg recycling and water (Förvaltningen Kretslopp och vatten) as IT manager. He has over two decades of experience from the IT industry and most of that working with Information- and IT-security. He is former head of forensics for Volvo Group and has extensive experience working with incident response and forensic investigations. As a security advisor, he worked with companies from all kinds of sectors, including automotive, finance, medical, pharma, energy and public sector. He holds CISSP and CISA certifications and was awarded the ISACA Thomas Fitzgerald award in 2009 for the highest score in the world on the CISA exam.
Forensics - Workshop
Rikard will guide you through the basics of a forensic investigation from acquisition to triage analysis, using open source or free tools. The workshop will be based on a scenario where we will go through the steps of an investigation from planning to report writing. The level of the workshop is aimed at an audience with limited (no) experience in forensics, but with a good understanding of computers, hardware and operating systems. After the workshop you will know how to handle the most critical part of an investigation, the acquisition, and how to proceed from there. IMPORTANT: Bring a laptop with Windows 7 installed (or a virtual host with Windows 7 on an OS of your choice). Install VMware player. Also 2 USB sticks or USB HDD 8 GB+. Optional: Bring a "Victim drive" (your spouse's, colleague's, best friend's, enemy's) to analyze.
Martin Knobloch (@knoblochmartin)
Martin is an independent security consultant and owner of PervaSec (http://www.pervasec.nl). His main working area is (software) security in general, from awareness to implementation. In his daily work, he is responsible for education in application security matters, advise and implementation of application security measures. Martin got involved in OWASP in 2006. He became a member of the OWASP Netherland Chapter board in 2007. He has contributed to several OWASP projects and is co-organizer of the OWASP BeNeLux-Day conference since 2008. Martin has been chair of the Global Education Committee from 2008 until the ending of the Global Committees. Futher, Martin is the conference chair of the OWASP AppSec-Eu/Research 2015 conference in Amsterdam, the Netherlands! Martin is a frequent speaker at universities, hacker spaces and various conferences.
OWASP Security Knowledge Framework
The OWASP Security Knowledge Frwamework There are a lot of books about how to write secure code, and a lot of standards and regulations. But do they succeed in getting the developers writing more secure code? Developers are about developing, and developing means staying up to date on frameworks, tools, best practices. Just to throw a several hundred page book on their table and expect them to read it does not work. Nor does a list of several hundred items 'what to do / not to do' work. They need a way to find information agile, dynamically, to the point, addressing the problem they are dealing with at this moment. That is what the SKF does! The Security Knowledge Framework is a vital asset to the coding toolkit of you and your development team. Use SKF to learn and integrate security by design in your web application.In a nutshell: - Training developers in writing secure code - Security support pre-development (Security by design, early feedback of possible security issues - Security support post-development(Double check your code by means of the OWASP ASVS checklists) - Code examples for secure coding
During the workshop we discus the different secure code standards, tools and guides and how this knowledge comes together in the Security Knowledge Framework and how to implement the SKF in your (customers) development life-cycle.
Sean Duggan (@Duggan4Sean)
Seán is currently working as an InfoSec Analyst and studying for a Masters in Security and Forensics. He is also the Mobile Dev Lead for the Security Shepherd Project. During college he started making vulnerable Android Apps for the OWASP Security Shepherd project, which he continues to this day. He is always looking for new ways to make vulnerable Mobile Apps. Speaker at AppSec EU 2014, Attendee at Project summit in AppSec EU 2015, Speaker at DaggerCon 2015.
OWASP Security Shepherd - Workshop
How do you know a web site is secure? How do you know your credentials are safe online? What makes a web site safe? Do you even know the questions to ask to help determine this? HTTPs is not the answer and trust is no longer a solution. The only way to be sure is to perform ethical hacking on the web application using a combination of manual and automated pentesting techniques. These skills are in high demand in the market place right now - but how can one get them? Well that's easy... if you take the right first step!
Join Sean Duggan for a 3 hour hands on workshop that will bring attendees up to speed on all the latest and greatest security testing techniques that are a concern in the market today. Compete against other attendees to solve increasingly complex security puzzles derived from real world security threats. Workshop attendees will leave with a real familiarity of web and mobile security testing best practice, terminology, workflows, and commonly used tool kits.
Bring an open mind and your laptop
Back to OWASP Gothenburg Day 2015