Britain’s most critical industries are being warned to boost cyber security or face hefty fines, as the government acts to protect essential services from cyber attacks.
"We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services," said the current Minister for Digital, Margot James.
In August last year, it was mentioned by the former Minister of Digital Matt Hancock, that a new government directive is being considered, that will allow regulators to inspect the Cyber Security status of companies.
More specifically, it was said that companies in the Energy, Transport, Water and Health sectors, are expected to have "the most robust safeguards".
Towards the end of each year, we tend to come across several reports and white papers that discuss the cyber-threat predictions/concerns for the following year. However, I do believe that very few of these reports really attempt to dig deep when it comes to emerging Cyber related threats and really discuss future trends.
I have had several discussions regarding the future of cyber risk exposure and how cyber risk assessments will start experiencing a significant shift in the following months. There is a bigger picture when it comes to cyber threats and cyber crime. It is not only how much a data breach or business disruption will cost, but at what scale it affects people's lives. This is the moment we need to take a step back and look at magnitude and implications. The main reasons why things should be expected to dramatically change in the Cyber front between 2018-2020, are briefly outlined below:
a) The General Data Protection Regulation (GDPR). GDPR has brought Information Security and Cyber Security into the boardroom as a discussion topic, "motivating" stakeholders to act upon the requirements before the regulation is finally in effect (25 May 2018). You should also consider that the disclosure of a breach needs to take place within 72 hours from the moment it was detected, the increased cost of responding to a data breach, and the fines imposed under GDPR.
b) The number of Cyber attacks expected in 2018 and their impact, according to the Cyber Security Breaches Survey conducted for 2017. (FYI: The official Cyber Security Breaches Survey 2018 detailing business action on cyber security and the costs and impacts of cyber breaches and attacks will be publish in April 2018).
c)Now consider the domino effect when it comes to the scale and magnitude of the cyberattacks anticipated by 2020, in contrast with the current state of readiness of business entities and their dependencies across all industries.
The recently published Global Risk Report by the World Economic Forum (www.weforum.org) has highlighted some very important facts regarding the risk perception for the year 2018. Cyberattacks are now perceived as a global risk of highest concern, especially to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018 according to the publish Global Risks Report.
Following my recent article where I tried to explain the concept of "GDPR Extortion", a data breach of a Health IT provider hit the news early this week, and the case of "HIPPA Extortion" became a sad reality.
For those of you who are not familiar with HIPAA (Health Insurance Portability and Accountability Act of 1996), is a United States legislation that provides data privacy and security provisions for safeguarding medical information, and in this case it applies to the Health IT provider that was breached.
The Nashville-based company (Medhost) is being asked by the cyber-criminals to pay 2 Bitcoins (BTC) which at the moment is approximately $35K (USD), otherwise they will sell the data they managed to steal. What is however very interesting in this story, is that they try to make their case by saying that they will do:
" ..a media release regarding the lack of security in a HIPPA environment."
The screenshot is from Google's cache*, as the website of the breach company appeared on 19/Dec 2017 at 20:02 GMT.
Even though this is not an "official" term that is being used (well, at least not yet), it does describe the concern I am trying to explain to people at different occasions. I often discuss GDPR from the security perspective, and the conversations most of the time end up focusing at the implications of the regulation and the "next day". This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity.
By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat.
I recently saw Vesna Manojlovic’s (@Ms_Multicolor) talk at BalCCon (@BalCC0n) about the RIPE Atlas device and I wanted to find out more about the project. I felt a need to play around with the device, see how it works, run a few security tests, and of course, be part of the online community that has access to the data in real-time.
Getting started with the RIPE Atlas probe (@RIPE_Atlas) was more or less straightforward.
The RIPE NCC (@RIPE_NCC) is building the largest Internet measurement network ever made.
For those who are not familiar, the RIPE NCC assigns and allocates Internet number resources across Europe, the Middle East and parts of Central Asia. The RIPE Atlas employs a global network of probes that measure Internet connectivity and reachability, providing an unprecedented understanding of the state of the Internet in real time. You can explore the RIPE Atlas measurements, maps and tools, once you register for an account.
Starting with the probe I had to visit the URL http://probev3.ripe.net which redirected me to https://atlas.ripe.net/docs/probe-v3/. On that page, one can find further information about the device, and what one should do if they find one connected to a network, and of course what to do if one has found a lost device.
This year is my first time to the Balcan Computer Congress, known as BalCCon (BalCCon2k17) in Novi Sad, in Serbia. I have visited Serbia a few times for work and it is a pleasure to have the opportunity be back, attending this amazing conference and present a talk.
BalCCon (@balcc0n) is a three-day conference with a great line-up of speakers, hackspace activities that include soldering and hardware hacking, retro gaming, workshops, and a pleasant atmosphere with a party-mood throughout the day.
This year’s event is the 5th BalCCon2k17. The conference opened on Friday 15/Sep/2017 by Jelena Georgijevic Krasojevic. She welcomed everyone and gave a small introduction about the event and its history. The event started at 14:00, which gave people enough time to fly to the country in the morning or make sure they had a really good night sleep if they arrived the previous night. If you haven't been to BalCCon, it is time for you to make plans for next year. The package includes, amazing talks, plenty activities for people to do, many workshops to attend, a friendly atmosphere, good food, and warm weather.
My passion for contributing to the information security community as much as possible, led me into getting myself involved with the formation of another information security conference. After a number of discussions, I decided to help out with putting together a Security BSides conference in the Netherlands. More specifically, the first ever Security BSides Amsterdam 2017 (www.bsidesams.nl) took place on Friday, 1/Sep/2017 in the heart of Amsterdam, at Zalen Pakhuis de Zwijger B.V. (dezwijger.nl).
We tried to engage the Dutch information security community as much as possible as this was our first attempt to make this conference a reality. We were very pleased to have so many speakers submitting a talk to the conference, and the support of OWASP and especially OWASP Netherlands.
This was the second Security BSides Athens in Greece this year, which allowed us to move to a slightly bigger venue. We tried to put together a better event since last year and further improve the quality of the conference.
Security BSides Athens 2017 (www.bsidesath.gr) took place at "The Athinais Cultural Center" - ATHINAIS
It is a great honour to have been invited to speak at the OWASP London Chapter meeting this May. (Thursday, 18 May 2017 - Central London) More importantly, as this meeting is sponsored by WorldPay, it is a fantastic opportunity to share previous work I have done on payment systems over the past few years. Allow me to say a big Thank You to the OWASP London Chapter organisers for the work they put in to keep the London chapter so live & active, and of course to WorldPay, for supporting this meeting, and for being so kind to host it at their premises. If you are interested to find out more OWASP, make sure you attend the OWASP Summit 2017. Given the opportunity for this blog-post, I would also like to thank you all for your messages about my talk. I am very pleased to hear that the tickets for OWASP London Chapter meeting this month were sold-out that fast and that the organisers had to activate the waiting list. The organisers also mentioned that due to the high demand, they will consider live streaming. So, stay tuned for updates on that as I am planning to schedule a number of tweets to go out before and during the talk. Thus, for updates you can follow me on Twitter: @drgfragkos
This is not a conference with unidirectional presentations. Using the same model as the past two OWASP Summits in Portugal, this 5-day event will be a high-energy experience, during which attendees get the chance to work and collaborate intensively. Every thoroughly prepared working session is geared towards a specific application security challenge and will be focused on actionable outcomes.
With participants flying from all over the world and from major security/development teams, service/product providers and research organizations, this is the place to be to learn and collaborate with industry peers (and even competitors).
The event is split over the following tracks, each focusing on a specific set of challenges:
Threat Modeling - This is one of the strongest tracks, with most of the core Threat Modeling talent in the world joining forces and collaborating
OwaspSAMM - This is another track where we have the main contributors and users of this Owasp project participating at the Summit
DevSecOps - This track has been generating quite a buzz among participants, since it is addressing real pain points and problems that companies face today
Education - Always strong in OWASP, this track ranges from University master degree to how to create the next generation of AppSec professionals
Mobile Security - Another track where the key Owasp leaders of Mobile-related Owasp projects are participating
CISO - This track reaches a wide audience of CISOs and covers a wide range of CISO-related topics
Research - This track covers really important and interesting research topics (it’s important to look at the future and work on the next generation of Application Security)
Agile AppSec - This is a track driven by a couple participants who really care about Agile and want to find better ways to integrate it with AppSec practices
Security Crowdsourcing - This is a track that is focused on scaling AppSec activities via internal and external crowdsourcing
Owasp Project’s Summit - Last but not least, this track has 31x Working Sessions directly related to an Owasp Project (with most having the Project Leader participating)
Approximately 74 countries are currently under an ongoing cyber-attack. The NHS in the UK has been massively affected, along with major companies worldwide. Computer systems are being infected with the ransomware known as WanaCrypt0r 2.0 (known as WCry and WannaCry). The malicious file targets a known computer vulnerability (MS17-010). System Administrators: - Ensure systems are fully patched, especially by addressing the MS17-010 vulnerability. - Disable SMBv1. - Firewall protect ports: 139/445 & 3389 - Make sure you have a backup of your data and it is also stored offline. - Ensure Antivirus is installed and active. Legacy systems should be isolated and any systems which are infected, consider removing them from the network. Under Attack?
Customers in the healthcare sector should follow the national guidance as instructed by the NHS and the National Cyber Security Centre (NCSC).
UK customers consult the Cyber Information Sharing Platform (CiSP).
DeepRecce customers requiring further advice or information should contact our 24/7 incident response line www.deeprecce.com
I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1).
I believe Injections (A1) should include the Underprotected APIs. (especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC) From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk". From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue. Just to mention a couple very recent examples: punicode https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls). https://gfragkos.blogspot.co.uk/2015/06/linkedin-security-issue-unvalidated.html So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: A1 - Injections, including Underprotected APIs and keep: A10 - Unvalidated Redirects and Forwards. This blog post is intended to be perceived as food-for-thought.
A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.
Test You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/ Alternatively, you can test for Ticketbleed yourself with a Go script: here
Fixes and mitigation The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available. Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections. Reproduced here are the instructions provided by F5 and available at the link above.
Log in to the Configuration utility
Navigate on the menu to Local Traffic > Profiles > SSL > Client
Toggle the option for Configuration from Basic to Advanced
Uncheck the Session Ticket option to disable the feature
I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further.
It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.
From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.
I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.
For those of you who have had the opportunity to see one of my presentations "Can you really hack an airplane: Myths & Truths", you are already familiar with what is really happening and the confusion between in-flight entertainment systems and avionics (https://en.wikipedia.org/wiki/Avionics). I was asked to put this article up by a number of friends in the security industry to highlight a few very important points. The purpose of this article is to provide food for thought. Especially, when you hear someone saying that "hacked" an airplane, or made it fly "sideways" by tampering with its systems through the in-flight entertainment system. Consider the following points and come to your own conclusions. Anyone who is trying to "generalise" and claim that during an actual flight, for example through the in-flight entertainment system, managed to take control of the plane and/or that it is possible to actually fly an aircraft like this, should first read what the law has to say about this. (Tokyo Convention 1963). Do you really want someone with the excuse of being a "security researcher" tampering with the airplane's systems while you are on an actual flight, because he/she decided that has nothing better to do? I am sorry, but from where I stand, we (security researchers) respect the law, and make sure we have permission to conduct any security assessments & penetration testing, in a safe and approved environment.
There are so many things to say on this subject, that it is really difficult for me to decide where I should start. I do not want to create a very long post, so, I will try to keep this brief and to the point. I will not try to explain each point in more detail because it wouldn't be much of a help at this stage, but I will try to give a few pointers on why it is currently considered a very challenging task for companies to employ talents.
Even thought this is not an article for talents in the music industry, I have included the following video for you all to see. Believe me when I say, everything will make sense by the time you read through the article.
Again, before you read any further, keep in mind that everything I am writing here is about the process of: identifying and employing talents, and more specifically talents in information security and information technology, and especially those that have a 'growth mindset'. (I will talk about the 'growth mindset' at a different post).
When you find a job opening online, it is most likely to have been written/revised by the HR department based on what is currently being asked for this role, based on similar job opportunities on the Internet. You can actually spot such job openings by looking at the requirements and see that they ask for “a little bit of everything” that does not really make a lot of sense. If you are the person tasked with the responsibility to hire someone and you try to modify the HR’s “template/process” to suit the particular needs of this new job opening, good luck.
You are going to end up filling-in forms and forms, that do not ask the right questions on what you are trying to achieve, it is almost impossible to deviate from the HR’s template and at the end of the day after spending time on this, the HR will have the final say on what will be the final form of the job opening. On top, in most organisation the shortlisting phase is done by HR staff who in reality have no real understanding of what is your skillset for the particular job other than cross-checking the preset requirements in the job post. Hiring talents requires you as an organisation to rethink the whole process and ensure it actually invites talents to apply for the job openings your company has.
Talents do not fit in job descriptions. A talent does not live under a title saying I am a penetration tester, a security consultant, a security architect, etc. With talents, it works the other way around. They just know things (love to keep learning things) or they are really good on things that they do not know how good they are. They can combine information they already know to find solutions, they know how to solve problems, they have ideas, they think in a different way than other people do. Instead of trying to fit them in a job description, look behind the curtain and read between the lines during the selection process and the interview. Allow them to tell you what they can do for the company, and the role they are interested in.
Most of the time, the shortlisting process simply excludes talents from getting into an interview. Imagine you are the talent and you have to spend almost two-three hours of your time, trying to put your CV in an online web application, that asks you questions completely irrelevant, because it was meant to be generic. For example, when you are planning to hire a developer who is a talent, you want someone who really knows how to write code, who knows how to solve an algorithmic challenge because he/she takes pride on that, someone who is not going to reuse a solution from “stackoverflow” that has no idea how or why it seems to be working. These qualities cannot be put in a job description, cannot be highlighted in the automated shortlisting process. These qualities can only be identified during the interview when the person (talent) has a chance to answer the right questions.
The interview is the most important stage of the whole process. Let’s assume that the person being interviewed (who is a brilliant candidate and the talent the company is looking for) managed to overcome the aforementioned problems and got shortlisted for an interview (face-to-face or otherwise). The candidate, has now to face four major problems.
The person conducting the interview is not trained or suitable for conducting interviews in general. Some of the people tasked to do this, they either do not like it, or they are really bad at it (even after training). The interview ends up being a great opportunity for people who know how or willing to “charm” the interviewer, and tell him/her what exactly he/she expects to hear. A talent is not there to charm anyone and play sympathy games. A talent expects to be respected as a person, valued for what he/she knows, demonstrate how eager he/she is to learn, what he/she can offer in this role and to be asked the right questions.
It is true that talents might have awkward personalities but this is part of what makes them special and so good in what they do. Consequently, the interviewer not only needs to be really good at interviewing people but also needs to be able to read between the lines. Not all people are comfortable talking about themselves, or go into an interview with the right attitude, or reply to the questions like superstars, or say something catchy. Sorry to break it to you, but if this is what you want to see in an interview, then you are looking for a "used car salesman", not a talent. Allow people time to feel comfortable and open up slowly. If they cannot talk about themselves, ask things about them and they will tell you (their answers might be brief sometimes, and your role is to help them elaborate on them). There are occasions where the interviewee replies to a question with something brilliant or something the interviewer is not familiar with. Instead of having an empty expression on your face and try to change the subject, think about allowing the talent to elaborate on this. We all learn a new thing every day, and your pride won’t be hurt if you listen carefully for a change.
The almighty checklist of standardised questions and the tick in a box. Don’t do me wrong, having a checklist of questions that need/should be asked is fine, but make sure you are asking the right questions. Seriously, what is the purpose of the question “can you tell me the OWASP Top 10 by heart”. Such questions simply are asked to make the interviewer fill superior (establish his/her dominance in the room) and the interviewee to feel that he is not in charge (despite how "well" you respond to the question). Include questions that allow the interviewee to elaborate on his/her experiences and thought process (how do deal with problems, suggesting alternative solutions, investigating issues, proposing new project ideas, etc.), and not tricky/sneaky questions with a double meaning that he/she cannot think about at that particular moment mostly due to the stress of the interview. Also, make sure you took the time to read the CV (resume, for my US friends) of the person you are interviewing and allow him/her to tell you if they have done some amazing things (projects), and which are these (and how did they come up with the idea and why). Telling/Admitting to the interviewee that you haven’t read his/her CV before entering the room and conducting the interview, from where I stand, is simply unacceptable and you should not be conducting the interview (any interviews in general). If you haven't spend at least ten minutes to read through the submitted CV/Resume prior to the interview and highlight the thinks you would like the interviewee to elaborate upon, then clearly you are not interested in finding a talent for the company (and this lack of interest in finding a talent is currently being interpreted by many companies as a shortage of talents). You are simply wasting your time just to get away from work for an hour or so, wasting the interviewee's time and you just want another tick in a box saying that you conducted an interview.
The interviewee can do nothing about his/her future “team-mates” feeling threatened by the fact the company is about to hire the talent they were looking for, for so long. It is not uncommon for the first interview to be conducted by the person who is supposed to become your future boss. This is actually really good as you get a vibe of the person in charge and he/she gets an opportunity to get to know you (and explain what he/she is looking for to bring in the team, the real need, not simple a generic job description). Imagine now the case where the talent nails that interview and his/her future boss is really impressed. So impressed, the candidate is asked to stay and do the second interview on the same day and get things going as fast as possible. Sometimes, that second interview is given to someone the candidate will end up working with, which is usually considered to be the “number two” guy on the team. As we are only human, there have been cases where the interviewer felt like he/she is not going to be the “number two” for much longer, because the candidate is really a talent. In that case, the almost future boss ends up getting a disappointing report / feedback from his/her “number two”, saying that the candidate failed the technical part of the interview. In one occasion, believe it or not, the guys conducting the second interview said this to each other after the interview: "This person is brilliant, has everything the team needs and what the company is actually looking for at the moment. However, if we decide to recommend this person, he/she will be able to everything (every task) we assign him/her to do without any problems or training. I am afraid he/she will be able to demonstrate that he/she can do both of our jobs within two-three months time".
Last but not least, asking the right questions. It was mentioned a few times during the article on purpose. First of all, keep in mind that is a lot easier for talents to identify talents in their particular area of expertise (I am not referring only to people with technical skills here). There is no point asking questions that anyone can answer using a search engine by simply clicking on the “I’m feeling lucky” option. Talents are being identified
a) by their achievements (up to that point in time),
b) the reason(s) why they did things in a certain way to solve a problem,
c) the way they challenge themselves on a daily basis and
d) what challenging projects they have completed successfully,
e) their particular and unique thought process,
f) their out-of-the-box thinking and novel ideas, etc.
Ensure the questions being asked reflect upon these qualities. Allow the questions to take twists and turns, be flexible based on the personality and background of the person being interviewed, allow the questions to be scalable and progress slowly towards the right direction, elaborate and engage with the candidate in order to reveal the hidden diamond behind the sometimes, rough surface.
Based on the alluded, and assuming that you took the time to watch the embedded video, consider a job opening in the music industry where a record company wants to put together a band. Imagine now this record company interviewing for bands the way the Information Security industry conducts interviews for talents (automated short-listing process, narrow and irrelevant questions, interviews that do not allow you to demonstrate your talent(s) but reply to standardise checklists, etc). Just image the questions:
Q: What instruments each member of the band knows to play? A: None
Q: Do you sing? A: Well, this guy does, there rest of us make noises.
Q: Can you dance? A: No, we just sit on stools most of the time.
and so on...
I would like to assume that you are now getting where I am going with this and I really hope you enjoyed reading this post (and the metaphor). I am considering making a proper presentation on the subject with more details and examples.
I had the opportunity to be at IP EXPO last week, in London. For those of you who are not familiar with the event, IP EXPO Europe took place at ExCel London (5-6 October 2016).
The interesting fact about IP Expo is that you can find vendors and services across the whole spectrum related to IT. More specifically, under one roof you will find anything you need related to Cloud and Cloud services, Cyber Security, network and infrastructure solutions, data analytics, DevOps, and Open Source.
Compared to InfoSecurity Europe, it is a smaller event but this ended up being good. The exhibitors had a standard booth size allocation and it was much easier to get around, talk to people and faster to find what you were looking for. Maybe it made more sense this particular layout to my OCD I guess.
As most of you already know, October is Cyber Security awareness month. The aim of the Cyber Security awareness month is toraise awareness across the international community about cyber threats, discuss best practices, and educate the public and private sector, on how to stay safe online.
Cyber Security is promoted extensively during this month and many events are being organized with the sole purpose to engage and educate public and private sector entities, while provide them with the necessary tools and resource to stay safe when connected online. Given the opportunity let’s talk about the UK’s Cyber Security Clusters and how you could get to engage, participate, network and most importantly ask any questions that you currently have regarding your organizations cyber security posture and staying safe online.
Another year, another 44CON in London. A line-up of great talks, and a very good opportunity to catch-up with friends from the industry. The event took place between 16-18/Sep 2016, at the ILEC Conference Centre.
This year you were able to solder your badge while you were there. There was a nice corner dedicated to soldering, with solder irons provided and all the bits to make it work.
I ended up making six of those in order to help out a couple of friends. It was really easy to make and really fun to do, especially when it started working as it should.
The badge is called HIDIOT and it is short for HID IO Toolkit. :) The Human Interface Device Input/Output Toolkit (HIDIOT) is a USB-based board for manipulating and experimenting with USB HID class devices. The version given out at 44CON is unreleased. In effect, we decided to make our badge a piece of 0day hardware.
ENISA (European Union Agency for Network and Information Security) is organising the European Cyber Security Challenge 2016 - the largest European challenge for cyber security talent. The Challenge will be held in November in Dusseldorf, Germany - and the Greek National Cyber Security team will compete with other national teams in various security-related challenges, such as web security, mobile security, crypto puzzles, reverse engineering, forensics.
The Greek team will be assembled in a qualifying round - in which we'd like to invite you to participate!
The qualifier will be held on Saturday, July 9 at the Department of Digital Systems of the University of Piraeus. The challenges will be similar to the ones outlined above, and the top 10 participants will comprise the Greek team that will travel to Germany. In order to be eligible, contestants need to legally reside in the country, be aged between 14-30, not have a Master's or higher degree or any professional experience in the information security sector - and of course have some InfoSec skills! Both competitions will be held in English, so contestants need to have at least basic understanding of the English language.
All you need to do to get the chance to compete in the qualifier is to register in the official website of the Greek team http://ecsc.gr/ Registrations are closing this week (Friday, July 1), so hurry up and register!
