Yesterday I attended my first ever BSidesLondon event at the Barbican Center. I arrived at the venue around 8 o’clock and signed in to get my name badge. The BSide team were still setting things up but around 8.30am we were allowed to enter, getting a wrist band, a free t shirt and other promotional goods in a bag. There were a nice mixture of hot and cold drinks as well as fruit and croissants to eat, until the event really kicked off at 9am. The venue had three rooms that were hired out, it was short trip to reach track three, an okay trip to reach track two, but a really long trip to reach track one. I planed my day before I went and knew which talks I really wanted to attend and was lucky that most were in track two.
The first talk I attended was the one by Robin Wood who is a senior security engineer at RandomStore, he gave an excellent talk on how to break into security and also had some stats. Robin had surveyed over 300 professionals to ask them some common questions that all newbies trying to break into security would want answered. For example ‘What certificates are worth doing?’ ‘Do you need to code?’ and so on. This was a really good talk, with Robin making loads of valid points and the results from his survey helped to answer some of the most common questions that I have been asked and I would recommended checking them out.
The second talk I attended was based on social Engineering by Ian Maxted who works as security consultant for Encryption. This covered everything you would expect from a Social Engineer talk. What it is, how to implement it, as well as why companies should get social engineering done.
The next talk I wanted to see was mapping the penetration tester mind 0 to root in 60 minutes but the speaker was not found so another speaker had to step in to talk about randomization. This was a really interesting talk and if have you attended 4420 you may have heard this talk before. The talk was based on how random functions work and how they should be implemented correctly. It was really technical and Maths based.
The last talk I attended before lunch was by Robert McArdle who is a manager of Trend Micro’s. This talk was based on some cool new features of HTML 5 as well as how we can use the good features for bad. This was a really cool talk with loads of new interesting attack vectors in HTML, it discussed how if you are using black list to prevent XSS attacks how HTML has new tags that won’t yet be black listed, so it could leave your site open to XSS. It also mentioned how you can infect browsers and how antivirus software would not pick it up. Overall this was my second favourite talk and I hope to look into HTML 5 soon and post links to slides once they are out.
Then it was lunch time, during the day there were also breaks but at lunch you could go and network. Also a bag was provided that contained a sandwich,drink,mints,crisps and a fortune cookie. I planned on meetings loads of people at BSidesLondon who I knew from talking to online. One of the biggest problems I found were trying to find them, the name badges were pretty small and I didn’t want to just go and stare at someone. So a lot of people I was hoping to meet and talk to I didn’t really get to meet.
After lunch I was undecided with what I wanted to go and see as I had a meeting setup with the awesome CV clinic. I decided to go and see Gavin Ewan talk on a sales guide to social engineering. Social engineering is a cool topic and one that I am really interested in. Gavin decided to talk more about how to read people and influence their decisions. All the aspects he was talking about, were taught to me when working for a big UK retailer so it was interesting to hear and see the same techniques that were taught to me being used in a different environment. This by far was my favourite talk as it was interesting but funny too. Sadly I had to leave a bit early to attend my CV clinic appointment.
The CV clinic was run by staff from KPMG and I must say they were super, giving me loads of good advice and tips on sorting out my CV. I thought I had a perfect CV but they did rip it apart making loads of really good points. I was with Susan for about an hour and the help and advice she gave me I know will help me and I can’t thank her enough.
After I got my CV sorted I got to network again which meant I got a chance to speak to a few people I already knew, so that was cool to catch up, by the end of this time, I was so tired so I decided to leave and travel home.
Overall this was a wicked event, there were loads of great talks and freebies flying about all over the place. I can thank the staff, sponsors and talkers enough without their time and money the event would not be possible. I would recommend that more companies should get involved and support BSidesLondon.
Links to slides
escalating privileges on common web apps
webapp exploit payload
web app testing without permission
wep app demo
Links to Video
Posted in Security Blog