This event is kindly sponsored and hosted by Skype (Microsoft).
Doors Open at 6pm, the talks start at 6:30pm (we start on time).
Introduction and OWASP News - Sam Stepanyan and Sherif Mansour
Welcome and OWASP updates from the OWASP London Chapter Leaders
The Thermostat, the Hacker, and the Malware - Ken Munro and Andrew Tierney
Following the PoC thermostat ransomware Ken Munro and Andrew Tierney performed at DefCon 24, this presentation digs even deeper into IoT devices and their apps. Staying with the thermostat Ken and Andrew will walk through the ransomware attack and then move onto general malware - which has no easy method for detection. Even when firewalled these devices are still vulnerable to local attacks so we’ll show you how you can achieve a compromise. We’ll also take a look at CSRF spraying, IoT gear in public areas, supply chain tampering, and malicious firmware updates.
Using Tests To Attack and Defend Node.js Applications - Dinis Cruz
Ken Munro is a successful entrepreneur and is founder and partner in Pen Test Partners, a partnership of like-minded professional penetration testers all of whom have a stake in the business. He takes a key role in conducting investigations as well as encouraging team members to pursue their own research, the results of which are published on the company blog and in the wider media. Ken has a wealth of experience in penetration testing but it’s the systems and objects we come into contact with on an everyday basis that really pique his interest. This has seen him hack everything from hotel keycards, to cars and a range of Internet of Things (IoT) devices, from wearable tech to children’s toys (Cayla) and smart home control systems. Ken has been in the infosecurity business for 15 years.
Andrew Tierney is a security consultant at Pen Test Partners. Prior to this he gained notoriety for his blog where he documented his findings regarding embedded systems such as routers, intruder alarms, thermostats, IP cameras, and DVRs. He expanded his skills into the realms of IoT web applications and mobile applications before joining the team. With a background in electronic engineering, Andrew employs some novel techniques for attacking embedded systems, such as simple and differential power analysis, firmware recovery, and glitching attacks. He has experience in both writing and disassembling a multiple of architectures, including ARM, MIPS, x86, AVR, and PIC, he is capable of reverse engineering a wide spectrum of devices from the smallest 8bit microcontoller up to the latest Android phones.
Dinis Cruz is a renowned application security expert who is passionate about creating Application Security teams and providing Application Security assurance across the Software Development Lifecycle (from development, to operations, to business processes, to board-level decisions). His focus is in the alignment of the business’s risk appetite with the reality created by internally developed applications. He is also an active Developer and Application Security Engineer. A key drive of his is to 'Automate Application Security Knowledge and Workflows' which is the main concept behind the OWASP O2 Platform.
This event is free to attend for both members and non-members of OWASP and is open to anyone interested in web application and information security. Please note that you MUST book your place to be admitted to the event by the building security.