BruCON 2016 (0x08) - Speaking about POS, POI & VT (the undisclosed talk)

It was a great honour for me to present this year at a hacking conference like BruCON (brucon.org). 

As many of you already know, I started this because I wanted to know how the payment process works behind the scenes (Payment Card Industry - PCI) and how secure these systems are, which we take for granted on a daily basis. 

After researching Point-of-Sales (POS), Point-of-Interaction (POI) devices and Virtual Terminals (VT) for almost 4 years, it was about time to do a presentation that wouldn't be behind closed doors as I usually do. I talked with a number of acquires, issuers, payments processors and POI OS manufacturers and let them know about my findings way before this talk. 

Securing Online Gaming 2016

The challenge of continuous security are going to be discussed at this year's annual "Securing Online Gaming" in London, on the 4th October 2016. It is a great to be among such amazing speakers and have the opportunity to speak about the challenges of securing online gaming. 

I will be representing DeepRecce which already has a leading role in the market when it comes to its cyber security solutions and its under 15 minutes deployable managed SOC solution across any number of hosts. 

My talk will discuss Online Gaming towards Cyber Resilience, and more specifically it will focus on:

• Today's challenges & requirements towards security online gaming
• How attacks are evolving, and what should we expect
• Taking steps for an effective Cyber Resilience strategy

The event will take place near the St. Paul's Cathedral and The Barbican. This is directly opposite the Museum of London. Located at 200 Aldersgate etc.venues St Paul's is a state of the art conference centre with the largest room holding up to 400 along with a further 12 rooms for conference breakouts, training and meetings.

Security BSides Manchester 2016

Thank you all for coming to my talk at Security BSides Manchester 2016. The conference took place on Thursday 18th August 2016, at Manchester Metropolitan University Business School, in the heart of Manchester.

The title of my talk was: 

Accessing the personal details of most of the InfoSec professionals & the Responsible Disclosure process.

The talk was not recorded due to the sensitive nature of the content and not much information was given in the abstract. 

Electromagnetic Field 2016 - EMF Camp

Electromagnetic Field [1] is a UK camping festival for those with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers.

This year's badges were amazing! If you want to start hacking your badge, go to this link: https://badge.emfcamp.org/wiki/TiLDA_MK3

I actually had the opportunity to give a talk on the myths and truths when it comes to hacking airplanes. Thank you all for coming to my talk! The talk was recorded and streamed live at the same time. Soon, the video will be available on EMFcamp's youtube channel if you would like to watch.

This year the event took place between Fri 5th - Sun 7th Aug 2016. The organisers found a really nice location outside Guildford. It is an awesome camping site with power to your tent (if you remembered to bring an extension) and Internet access. Tickets are approximately £120 and if you are thinking of driving down, you need to purchase in advance a parking ticket. If you have a motor-home, you are also welcome. 

EMFcamp welcomes everyone, supports diversity and does not tolerate misconduct. So, pack your tent, some warm clothes, a couple bottles of/for water, a torch, your favourite drinks and you are all set. I suggest you get earplugs as well, especially if it is windy, you wont be able to sleep. 

Plenty of presentations to watch, a few canteens with drinks and food, and many different workshops. Many different villages [2] and a lot of fun stuff to do all day long! Except from attending interesting talks and workshops, from hacking stuff, making stuff, creating music through algorithms, practising your soldering skills, lock-picking, talking to people around the world through radio broadcast, and play fire ping pong, you can also enjoy the day with all sort of people, make new friends while have a a cold drink and warm food.

There is also a kids area as well where you can let them play from 10:00 am until 20:00 pm and overseen by professional carers. 

Pick your favourite activity as you go along or plan your day in advance by looking at the schedule on the website. 

You can follow EMF camp on twitter: @emfcamp 

[1] https://www.emfcamp.org
[2] map.emfcamp.org

SnoopCon 2016

I had the honour to be invited again this year by the Cyber Security Testing and Validation Team at British Telecoms (BT) in order to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days.

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

It was a great opportunity for me to catch-up with so many friends at SnoopCon. I also find out that Anoop Sethi has decided to retire after approximately 12302 days uptime (33 years) for BT. 

It is a great honour to have known Anoop, the man who fundamentally changed the way Security and Penetration Testing is viewed in BT. Given the opportunity, I would like to personally wish Anoop all the best with anything he decides to do and I would like to thank him for being such an amazing individual.

I had a fantastic day at BT and the quality of the guest talks was over the roof. I am going to outline here briefly the content of the talks in the order they were presented. 

Security BSides Athens 2016

It has been a while since my last blog-post and the main reason for that, was the numerous things I had to keep track for organising:

Security BSides Athens 2016 (www.bsidesath.gr) 

It has been a very busy year trying to organise this Security BSides event for the first time in Athens, Greece, with plenty of “hiccups” to overcome in the meantime. 

Once we had a team of people who were equally excited and passionate about this, we started working towards the event details.  

---

Given the opportunity, I would like to personally thank the team once again, all the volunteers who helped out on the day, the review committee who provided constructive feedback to all submissions, the speakers who travelled from all over the world to be there and present, and last but not least, all of YOU who attended the event. 

Special thanks goes to our sponsors, who trusted us on our promise to deliver this information security community based conference. We couldn't be able to bring this event to Athens, especially for the first time if it wasn’t for them, and for that we really appreciate their contribution and support.

Of course, such an event would not be able to exist without the community support we had from fellow conferences all over Europe, the Universities that promoted the conference, the Hellenic Army General Staff, and all the people how were involved and made this event a success story. 

We had some great feedback already and we are committed to tweak things according to the recommendations and suggestions we received in order to make the event next year even better. There is always room for improvement and for more people to get involved. 

Teach your brain to regenerate passwords instead of remembering them

@TripwireInc posted a brief article about my talk for @AbertayHackers and #SecuriTayV happening this Friday 26/Feb. For those attending, you will learn how to teach your brain to regenerate passwords instead of remembering them! 

Let's cut to the chase. Despite the existence of a number of advanced authentication mechanisms, such as Single Sign-On (SSO), different types of Biometrics, multi-factor authentication, etc., the use of passwords is still the most popular means of authenticating users.

The need to generate, and hopefully to remember these passwords, has become even more demanding due to the rapid increase in the number of systems and online accounts being used. 

Best practice is that these passwords need to be as strong as the assets they protect, and password management applications are supposed to be the most straightforward solution for storing them safely.

If you think about it for a moment, no one has ever actually taught you how to think when choosing a password. Due to the fact, it is generally considered a straightforward task, it is assumed that you actually know how to choose the appropriate password for protecting a particular asset (email, social media account, OS login, etc.).

Abertay Ethical Hacking Society: 5th annual Security Conference: Securi-Tay V

Securi-Tay [1] is an Information Security conference held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fifth year the conference is taking place (hence the V) and it will be held on February 26th - 27th, 2016. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like. 

I was very pleased to get accepted to speak at the conference again this year and I am already looking forward to it. The talk is about passwords and more specifically on how to train your brain to "regenerate" different passwords for different accounts, instead of remembering them. I know that this is not very clear at the moment, but I promise you that everything will be explained during the presentation. This is something I started working more than 10 years ago. I actually published two papers on the subject, one paper describing the thought process and one paper on how to reverse the password generation process during a computer forensics investigation based on an individual's profile. 

Guest Speaker for Cardiff University - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to Cardiff University in order to give a talk about: "CyberSecurity and the Payment Card Industry". 

The talk starts with an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participants are given the opportunity to understand what is an Approved Scanning Vendor (ASV), the responsibilities of a Qualified Security Assessor (QSA) and last but not least the job of a PCI Forensics Investigator (PFI).

SteelCon 2015 - Can you really hack an airplane? (myths & truths)

I was very excited to hear my talk that was sent to SteelCon 2015 (http://www.steelcon.info) was accepted. This time I am talking about something different than usual, which has to do about hacking airplanes.

A lot of noise, many discussions and many articles have been written lately due to the recent so claimed airplane hack. It is indeed very difficult, up to impossible, to find information about the security of an airplane's systems if you are not actually the person responsible for designing and building such systems. Of course, it is understandable that these details regarding these systems will never become available to the general public for security reasons.

SnoopCon 2015

It was a great honour to be invited by the Cyber Security Testing and Validation Team at British Telecoms (BT) to attend their annual internal conference, as a guest speaker. The conference is known as SnoopCon and it is BT’s Penetration Testing and Ethical Hacking annual meet-up event which lasts five days. 

The event is held behind closed doors, however it is customary that on the third day they invite people from the industry, recognising that their work would be an invaluable input if presented at their internal conference.

I had fantastic day at BT and the quality of the guest talks was over the roof. From Cyber Wargaming to the dark corners of the Dark Net, hacking the Internet of Things, a different approach when it comes to hacking cars, OS exploitation and of course, Threat Intelligence in depth.

The amazing news came a couple of days later, when I was informed that I was awarded the "Best External Speaker" award for my talk. 

The award is called the “my little Pwnie Award” based on the word "pwn", which is hacker slang meaning "to compromise" or to "control", hense the eccentric type of the award.

Thank you for inviting me to the conference and a special thank you for the award. I am looking forward to the next conference already! 

Follow me on Twitter: @drgfragkos 

BSides London 2015 - Virtual Terminals, POS Security and Becoming a Billionaire Overnight!

Yes, it is true. The talk was short-listed and it was voted for the BSides London 2015 conference! Thank you all for voting for my talk. 

I am looking forward to fantastic line-up of talks at the conference. As you probably noticed at the schedule page, the session is not to be recorded due to the sensitive content, so please, do respect this request. 

This means that if you want to find out more about the talk, you will have to be there and attend the session. 

Tripwire (@TripwireInc) posted a short article about my forthcoming Security BSides London 2015 talk, which you can find at this link.

 

As far as I know Track 2 is quite big and I really hope there are going to be enough spaces for everyone. For those attending the talk, mark it down on your schedule, tweet about it and follow me @drgfragkos to find out more! :) 

I have only one thing to say to you for now: Great things do come, to those who attend ;)

If you want to tweet about the talk dont forget to use the BSides London 2015 handler: #BSidesLDN2015

Copy-Past Tweet for sharing: 

Virtual Terminals, #POS Security and Becoming a Billionaire Overnight! via @drgfragkos at @BSidesLondon #BSidesLDN2015

I am looking forward to the event, hoping to have a chance to speak to all of you at the conference and potentially share a drink or two. I really appreciate your interest in this field and I can only hope my talk will keep you all excited once more. I really believe that anyone who has the opportunity to be at this conference should not miss the chance. We are all going to be there and if you have like five minutes to spare, come and say hi.

Guest Speaker for University of South Wales (Information Security Research Group) - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to the University of South Wales in order to give a talk about CyberSecurity and the Payment Card Industry more specifically for the Information Security Research Group (ISRG).

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals. 

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Cyber-Security and Cyber-Defence

I was very excited to be invited by the Derby University once more and more specifically by the Digital Forensic Investigation Course in order to give a talk. The title of the talk was "Cyber-Security and Cyber-Defence in the industry and financial services utilising Penetration Testing and Computer Forensics".

The talk focused on the current Cyber-Threats, Cyber-Security and Cyber-Defense tactics. It introduced to the participants different types of security services, which included threat assessment, threat intelligence and threat management solutions. The talk also gave the students an opportunity to hear about the most successful vendors in the security industry.

Figure 1 - Guy Fawks Mask as a Rorschach Test

The trends in cybercrime were discussed along with why cybercriminals participate in cyber-gangs and the reasons why cybercrime is still successful. More specifically the talk looked into the reasons why cybercrime has a presence, how much does it pay, explored the increasing scope, scale, and complexity of cybercrime impacting the industry at the moment, how cyber-espionage is involved and how can we focus on real-world strategies to avoid being targeted.

A number of tools and techniques were introduced to the students along with a practical session on how easy would it be to create their own version of a malware capable of evading AntiVirus detection. All this raised their awareness and made start thinking outside-the-box when it comes to this fast evolving threat landscape of cyber-threats.

I do believe the students enjoyed the talk as the feedback was exceptional. I do hope they gained enough information during the day to go back and start looking into cyberthreats more closely and with a better understanding.

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Penetration Testing

I had the pleasure to be invited for the first time as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. I am looking forward to be invited again by the university in the future and have the opportunity to discuss in more detail CyberSecurity and Cyber-Threats.