Modern cars are typically equipped with multiple wireless interfaces and through features such as telematics and in-car mobile handset connectivity they are quickly becoming Internet-connected devices. As such the threat landscape for automotive systems has changed dramatically – organised crime and hackers now have many different potential attack vectors against vehicles, whether they wish to attempt to break into or steal a vehicle or to remotely cause it to perform actions beyond the control of the driver, thereby impacting on vehicle and driver safety.

This session will walk through NCC Group’s research of the modern car attack. We will show delegates real-world examples of the risks that modern cars are facing. The session will also present a high-level methodology for testing the end-to-end security of connected cars and will discuss realistic mitigations that can be achieve through secure development life cycles.

Oops - you clicked on a link and unwittingly reconfigured your router, changed your tax refund account number and revealed your browsing history! How did this happen? Shortly after your bank went online, attackers discovered the joy of Cross Site Request Forgery (CSRF). Some twenty years later it's still one of the most common web vulnerabilities. In this session we'll discuss what CSRF is, why it works, and how to protect your web application against it. We'll look at actual attacks and different flavors of CSRF. We'll discuss what kind of protection works and what doesn't, and why you must learn to love that same-origin policy thing that otherwise only seems to get in your way. Heck, there will even be some slides about 1995 and Netscape!

Kali, Backbox, Metasploit, BeEF. All tools in an arsenal that exist to break through your security defences. This talk introduces the tools available and shows how they can be used to get through your defences. It is more a massive demo than a talk and is an exploration of the tools and what they do. At end of this talk, you will have better understanding how to defend against them and spot the problems. We will go through recon, exploitation and maintenance of exploits. This is geared at developers, it pros and those with an interest in learning more about security tools and practices. No previous knowledge is required, the less you know the more WTFs you will utter!

From an architecture perspective iOS is one of the most secure mobile platforms available today. But there are examples of malware that have successfully targeted iOS despite the mandatory code signing, app review process, sandboxing, encryption, and lack of side-loading support.

This talk will explain built-in security mechanisms in iOS, common security issues that affect iOS developers and attack examples against iOS devices. We’ll cover XARA (cross-app resource attacks), masque attacks, SSL/TLS security, reverse engineering and how attackers try to circumvent the security rules enforced by the operating system. For each attack mentioned, we'll also discuss mitigation strategies.

The web has already slowly started to switch to HTTP/2. Daniel explains what problems HTTP/2 is here to address and how it does that. What makes it faster and safer? What is the status right now and how much traffic is on HTTP/2 already?

XML External Entity (XXE) attacks are not new, but we find them more and more often nowadays during our penetration tests. What's up with that? Lack of awareness among developers is the most likely reason.XXE attacks are fun. In this demo-based session we will see what attackers can do with it, from exfiltrating files to targeting internal servers.At the end of this session, you should have a pretty good overview of the risks involved with XML parsing, and you'll be able to prevent XXE attacks.Let's stop this XXE thing before it becomes the new SQL injection!

In this session Marcus Murray will demonstrate the latest and greatest methods and tools used by hackers in order to break into your systems.An awareness session you don't want to miss.You will learn how hackers target endpoint and applications. How they circumvent anti-virus and how they can compromise an entire enterprise without ever getting caught.