Track 1


 09:00 - BSides MCR - Welcome Remarks



 09:15 - KEYNOTE - Ian Glover (CREST GB)

Video -



 10:00 - Paul Johnston - Static code analysis, from source to sink

Video -

Slides - 



 11:00 -  COFFEE BREAK



 11:30 - James Kettle - Server-Side Template Injection: RCE for the Modern Web App

Video -




 12:30 - LUNCH



 13:30 - Ben Turner & Dave Hardy - PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit”                      

Video -





 14:30 - Jim Slaughter - From Phish To Pwned: Dissecting a modern phishing campaign from e-mail to malware infection.              

Video -







 15:45 -  Kuba Sendor - Squashing Rotten Apples: Automated forensics & analysis for Mac OS X with OSXCollector                  

Video -



 16:45 - William Knowles - Yes, penetration testing might need standardisation. No, it's not the way you think.

Video -

Slides - 



 17:45 - BSides MCR - Closing Remarks



 18:00 - Close / MWR After Party

Track 2









 10:00 - James Maude - Who breached Ashley Madison and why should we care?



 11:00 -  COFFEE BREAK



 11:30 - Sam Thomas - PHP unserialization vulnerabilities – what are we missing?

Video -

Slides -



 12:30 - LUNCH



 13:30 - Richard Moore - Low-Level TLS Hacking                      

Video -

Slides -

Code -



 14:30 - Luke Drakeford - Detect & Protect: Securing financial applications in hostile environments              

Video -








 15:45 - Alberto Barbaro - Instrumentation of .NET applications using Frida                 

Video -



 16:45 - Stephen Fisher Davies - Exploring android smartlocksk.

Video -

Slides -






 18:00 - Close / MWR After Party



 10:00 - Ben Green / William Knowles (Security Lancaster)

            Industrial Control Systems (ICS) Security Demo 




 11:00 -  COFFEE BREAK







 12:30 - LUNCH




 13:30 - Francesco Mifsud / Ruben Boonen (Context)

           Windows Privilege Escalation (2hrs)















 15:45 -  Paul Johnson (Pen Test Ltd)

            Secure Coding (2hrs)











 18:00 - Close / MWR After Party

Speakers & Abstracts



Ian Glover, President, CREST GB

Ian Glover has worked in the IT industry for the last 39 years and has been working in information security for the last 34 years: and has enjoyed nearly every minute of it.

As President over the last six years, Ian has taken CREST to a position of influence in the technical security industry.  He has been instrumental in a significant number of major initiatives in the cyber security industry.  The most recent are the award winning Cyber Essentials scheme, assessing basic levels of cyber hygiene;  and the CREST, BoE and government project to develop the CBEST Scheme designed to provide higher levels of assurance for critical parts of the UK financial services specifically concentrating on those areas of systemic risk which, if compromised, would have an impact across the financial services industry.  The STAR scheme, which is the base from which CBEST is derived, is being considered by other financial services regulators and other parts of the critical national infrastructure.  He also helped to develop and implement the government CIR (Cyber Incident Response) scheme aimed at providing recovery services following a state sponsored attack and very serious organised crime that can have an adverse impact on the economy.  The CREST Cyber Security Incident Response (CSIR) scheme is aimed at all other forms of attack. 

As President of CREST, Ian has also worked on a number of IPR-free research projects in support of the industry.  He is working with industry, government, training organisations and academia to try and create a consistent message to encourage the best people into the cyber security industry and provide them with a clear, achievable and defined careers path.

Prior to representing CREST, Ian was one of the founders of Insight Consulting, one of the leading specialist consultancies in information security and business continuity management.  Whilst at Insight, Ian won the BCI award for consultant of the year twice.  The business was subsequently sold to Siemens and Ian was a Board member of Siemens Communications for five years.

Ian also established the CLAS Forum as a partnership linking the Information Assurance knowledge of the UK Government with the expertise and resources of the private sector.  The Forum, which promotes the interests of the CLAS community, provides a pool of more than 800 high quality consultants approved by CESG to provide Information Assurance advice to UK Government departments.  He was the Chairman of the Forum until April 2012.

He has always had a significant interest in technology.  He has worked for Ernst & Young on European Commission projects ranging from risk assessment methods, through incident reporting to the harmonisation of data protection legislation.  He worked for the Treasury (CCTA) to develop the BCS award winning CRAMM risk assessment and management methodology and UNIRAS the unified incident reporting and analysis scheme.  For the MoD, he was an early adopter of expert systems (AI) using it for unexploded bomb and missile recognition and the development of battle simulation models.

In support of his objective to encourage youth, Ian is also on the Executive of the Bloodhound Super Sonic Car project.  This project aims to build a 1,000 mph car with the objective of providing an inspirational project to inspire young people.



Static code analysis, from source to sink

Static analysis is an alternative approach to penetration testing, which focus on analysing source code,rather than attacking running applications. I developed a prototype static analysis tool, and learnedall sorts about static analysis and secure coding on the way. I will explain the basic principles of staticanalysis, the practical problems you hit, and the lessons for secure development pracitces. This willbe useful for people who use static analysis tools, perform code analysis, and developers interested insecurity.


Paul Johnston

I’m a penetration tester with an interest in programming and securing web applications. Yearsago, I wrote a JavaScript MD5 implementation which was widely used to protect passwords on theearly Internet, before SSL was common. This led me to a career in security where I’ve had the chanceto work with all sorts of different organisations and technologies, mostly working on web apps. I’mlearning all the time, and my ideas are all a work in progress.



Who breached Ashley Madison and why should we care?

Most people assume data breaches of websites like Ashley Madison (the home of extra marital affairs)only affect the individuals exposed in the breach. This however is only one part of a much biggerpicture, what happens if we start to mine other breaches? From Home Depot to Hacking Team we cancombine multiple data breaches to create a data set and tool kit that any malicious actor could useto devastating effect. With sources such as WikiLeaks now being used as a form of adhoc securityclearance by many this is now a reality.We will discuss how data breaches can have much farther reaching consequences than identity theftand phishing emails. Can we really influence government, escape criminal charges and profit from abreach


James Maude (@endpointsec)

James Maude is a Senior Security Engineer @ Avecto. He researches malware and the threatlandscape and takes great delight in

trying to spear-phish his colleagues.BSides



Server-Side Template Injection: RCE for the Modern Web App

Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I’ll discuss techniques to recognise template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I’ll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE on two corporate web applications.
This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.


James Kettle (@albinowax)

I’m head of research at PortSwigger Web Security, where I design and refine vulnerability detection techniques for Burp Suite’s scanner. Recent work has focused on design of the new Burp Collaborator system for identifying and exploiting SSRF, asynchronous blind code injection and out-ofband attack delivery. I have presented at BlackHat USA and AppSecEU, as well as both OWASP and BSides Manchester.



PHP unserialization vulnerabilities – what are we missing?

We regularly find unserialization issues during penetration testing engagements, often within previously tested systems, which often results in a serious compromise. This suggests the area is not sufficiently understood and testing methodologies need to be improved. This presentation will include demonstrations of some lesser known techniques which can be utilised to compromise Wordpress<3.6.1 and SilverStripe<2.4.6 amongst others.


Sam Thomas

Sam Thomas is a Senior Security Consultant and Head of Research at Pentest Ltd. Sam previously worked as an independent researcher specialising in browser bugs (



PowerShell Fu with Metasploit “Interactive PowerShell Sessions in Metasploit”

This talk will discuss the development of a new session type that now supports PowerShell interactively through Metasploit. Previously it has not been possible to run an interactive PowerShell sessionfrom inside Metasploit. Ben and Dave have developed thus entirely new session type for Metasploitand has had this approved into the Git version of msf. Including many new session types, there isnow additional functionality to weaponise the sessions in Metasploit to utilise tools like PowerSploit,PowerUp and PowerView inside an Metasploit session, almost ‘like being on the box’. Also included will be a discussion around the use of PowerShell as a post exploitation vector, including full start-to-finish demos and some newly developed Metasploit POST modules. The expected audience ranges from the advanced red teaming penetration tester a Microsoft certified engineer.



Ben Turner (@benpturner) & Dave Hardy (@davehardy)

Ben Turner (@benpturner) I am a senior security consultant with over 5 years’ experience as a penetration tester and currently working for Nettitude. I have been through both the CREST team leader infrastructure exam and the attack specialist exam, including taking various hacking courses such as OSCP and WAHH. I conduct security assessments on all types of systems for both green and blue chip companies. Most my time away from work is spent researching new tools and techniques, including creating my own scripts and modules to assist the pentest community. I also run a joint security blog at and frequently contribute to open source tools and penetration testing frameworks.


Dave Hardy (@davehardy20) I’m a security consultant with about 5 years experience as a full time pentester, previously I have been a Sys Admin with un-official security roles. I’ve been working with computers before Windows came along, so I’ve seen the full evolution of Windows and its associated ups, downs, twists and turns and, yes I’m older than your average pentester. I run the blog and the Dave Hardy Daily on Twitter and security is more like a lifestyle than a job.



Low-Level TLS Hacking

Generally penetration testers focus on SSL/TLS as a blackbox, usually using the open-SSL command line. The exception to this is when we see exploits for vulnerabilities such as heartbleed when we generally just see a big string of hex. Wouldn’t it be nice if there was a way to easily construct our own TLS records, handshake messages and even broken messages so that we can have something in between? This talk will describe the TLS record layer and handshake protocols, and introduce the pytls library that can be used to create these messages in an easy way. It will compare the commonly found heartbleed exploit with an equivalent written using pytls and demonstrate how we can write
tests for some other common vulnerabilities. Finally, the talk will show how it is possible to determine the SSL/TLS implementation in use on a server by actively probing for differences in the protocol implementations between different libraries, and even different versions of the same library.



Richard Moore (@moore_rich)

Richard Moore is the CTO of Westpoint Ltd, a security testing company based in Manchester.He has found security problems in the SSL/TLS implementations of all the major browsers. A long timeago, he was one of the original developers who created KHTML which you’ll probably know as WebKit(or Blink if you’re using Chrome). In his copious free time he also maintains the network stack for the Qtdevelopment framework, particuarly the SSL/TLS support.



From Phish To Pwned: Dissecting a modern phishing campaign from e-mail to malware infection

My intention with this talk is to focus on the defence/incident response side of the security houseand walk through a real scenario that many businesses find themselves in on a daily basis. My aim is to cover the technical aspects of responding to event of this nature as well as distilling the potential business consequences.


Jim Slaughter (@slaughterjames)

Who Am I? I’m Canadian, eh! By day I’m the Cyber Security Analytics Manager for a Tier 1financial organization in Scotland. I do malware analysis, reverse engineering, threat actor analysisand cyber investigations. Previously, I spent 9 years I on the Enterprise Development team atBlackBerry in Waterloo, Ontario Canada. For the past 7 years, I’ve spent my nights and free timehacking – mostly malware analysis/RE. I’ve also previously spoken at B-Sides Detroit and the inauguralB-Sides Manchester. I blog at



Detect & Protect: Securing financial applications in hostile environments

Mobile payment applications contain sensitive user data and easily abused functionality, and all the while execute within environments which cannot be trusted. This talk will explain the implications of running financial applications within such hostile environments, and demonstrate how an application can be reverse engineered and modified. We will also discuss the implications of such an attack, including - targeted malware, the loss of confidence in the security of financial institutions, and the loss of intellectual property.


Luke Drakeford 



Squashing Rotten Apples: Automated forensics & analysis for Mac OS X with OSXCollector

OSXCollector ( is an open source forensic evidence collection and analysis toolkit for Mac OS X. It automates the forensic evidence collection and analysis that previously Yelp's team of responders has been doing manually.

We use Macs a lot at Yelp, which means that we see our fair share of Mac-specific malware alerts. Host based detectors like antivirus software will tell us about known malware infestations or weird new startup items. Network based detectors see potential CnC callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “Hey, I think I have like Stuxnet or conficker or something on my laptop.”
When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary tools for root causing OS X alerts is OSXCollector. It was developed in-house at Yelp to automate the digital forensics and incident response (DFIR) based on our past experiences when dealing with the malware infections and other threats haunting Yelp's corporate network.


Kuba Sendor (@jsendor)

Kuba Sendor is working at Yelp security team where he fights malware and together with other Yelp engineers makes sure that the company internal network as well as Yelp website and mobile applications stay secure. Previously he worked at SAP in the Security and Trust research group where he participated in the initiatives related to access control and privacy in the digital world.
He holds double MSc degree in Computer Science from AGH University of Science and Technology in Krakow, Poland and Telecom ParisTech/Institut Eurecom in Sophia Antipolis, France.


Instrumentation of .NET applications using Frida

There is currently no de facto standard to help a reverse engineer or geek to easily understand the structure of a .NET application and interact with it without access to the source code (particularly if the MSIL has been obfuscated). This gap has now been filled thanks to Frida ( and the power that the framework offers. Frida is a portable instrumentation framework that allows you to inject the Google Chrome V8 engine within a process’ memory and interact with the target process using Python and JavaScript. Having this power allows practitioners to:
• Enumerate modules
• Enumerate memory ranges
• Read/Write/Scan the process’ memory
• Call functions with crafted parameters
• Read/Modify input functions’ parameters
• Read/Modify the return value of a function
• Establish full duplex communication with the target process using JSON messages
At the end of the talk attendees will have a good understanding of the potential offered by Frida and they will be able to replicate all the demos explained during the talk and use the same techniques during an assessment of a thick client written in a .NET (or any other) language.


Alberto Barbaro

Alberto successfully completed a bachelor degree in computer engineering at “Politecnico di Milano” in March 2007. Successively he joined the “Universita’ degli Studi di Milano” completing a bachelor degree in computer security in February 2011 and later a Master of Science in Computer Security in October 2012. During his time at university he worked as a developer for 10 months in a security company developing a frameworks used internally in order to easily reverse engineer malware with particular attention to Zeus Trojan framework. At the end of his traineeship in 2012 he joined Spike Reply in Milan starting officially his career in computer security working as a penetration tester.
Alberto continues to progress with his research and love of vulnerability research as a consultant in NCC Group where he has been working since February 2013. 



Yes, penetration testing might need standardisation. No, it’s not the way you think.

You’ve read the title and you’re panicking. Don’t. This isn’t a talk about having a standardised methodology for conducting penetration tests. It is, however, a talk about the way the industry offers services and what clients receive in return. Standardisation here might be good not only for clients, but also the individuals delivering these services (such as yourself). This talk is based on a market analysis (involving 54 stakeholder interviews) by the British Standards Institution (BSI) and Lancaster University.


William Knowles (@william_knows)

William Knowles is involved in an EPSRC Industrial Case PhD that is supported by the Airbus Group (formerly EADS) where he conducts research around penetration testing within Industrial Control System environments. This PhD is being undertaken at Security Lancaster, an EPSRC-GCHQ Academic Centre of Excellence in Cyber Security Research. He is also a Tigerscheme Qualified Security Team
Member (QSTM) and ISO/IEC 27001:2013 Lead Auditor.



Exploring android smartlocks

An review of Android Lollipop ‘Smart Locks’ and how they can be exploited to fool a handset into thinking it is in a safe ‘trusted’ environment.
The aim of this talk is to inform people how to correctly handle mobile exhibits to unlock phones using 
an activated smart lock to enable access to data for forensic examination. In addition the talk covers
Smart Lock logs how they can retrieved and used, not needlessly lost. The talk will cover:
• Recognising and identifying a smart lock enabled phone
• Location smart locks
• ‘Safe’ location spoofing testing to date and the risks involved
• Trusted device smart locks
• On person smart locks
• Smart Lock Logs


Stephen Fisher Davies (@fisherdavies)

Stephen Fisher Davies BSc is a Senior Digital Forensic Consultant at Sytech Consultants; Forensic mobile phone and computer examiner with 8 years of experience, including 5 years at the Avon and Somerset Police Hi Tech Crime unit. In this time I have worked on over 1,000 cases including a number or major police investigations in the South West of England. In addition to my day job I also work as a freelance mobile phone forensics trainer with keen interest in Flasher Box forensics and hardware level data recovery/forensic techniques.



Burping Up Data: What Your Apps Reveal About You

Ever wondered what information your apps give away before you even authenticate? Does that photo editing app send your selfies to “the cloud”? Or does that GIF keyboard you downloaded keep track of everyone you message?
This talk will present the results of ongoing research into the most popular apps in various categories of the iOS App Store (and possibly Android too, time allowing), focusing on what information they send, and where they send it to. These results will be used to identify patterns in app categories and their attitudes to security, analytics, and privacy.


Iain Smart (@smarticu5)

I’m a student currently interning with NCC Group before my final year studying Ethical Hackingand Countermeasures at Abertay University. I’m also Secretary of the Abertay Ethical Hacking Society,and one of the organisers of the annual Securi-Tay conference held in Dundee.




A discussion of userland rootkits making use of the LD_PRELOAD mechanism, focusing on theirfunctionality and flaws, and how they’re both good and bad for sysadmins and hackers alike.


Alastair O’Neill (@_ta0)

Security Consultant at NCC Group with an interest in malware, ancient UNIX, and great hats.



OWASP-SKF Making the web secure by design

Will be a mixture of the workshops we already given and inspirational presentation. For an example you can check the workshop slides:


Glenn Ten Cate (@FooBar_testing_)

As a coder, hacker, speaker, trainer and security researcher Glenn has over 10 years experience in the field of security. Employed as a security engineer at Schuberg Philis in the Netherlands and speaking at multiple security conferences. His goals is to create an open-source software development life cycle with the tools and knowledge gathered over the years.



Financial Crime: The Past, The Present and The Future

Opening with boiler room investment fraud:
• Common fraudulent products and practices
• Pump-and-dump schemes
• The cost to the UK investor

Moving on to hedge funds and insider trading:
• The rise of the hedge fund after the tech bubble burst
• Insider trading and false rumour-spreading
• How they keep from being caught

Finishing off with:
• Leveraging trades
• How easy it is to place highly leveraged trades anonymously
• What do we do about this?


Marcelo Mansur (@thatinfosecrec)

My name's Marcelo Mansur and I'm a freelance information security recruiter. Having had first hand experience of working in a boiler room, I became preoccupied with how the scam had worked and how they had kept everyone, including their employees, in the dark for so long. Following a number of conversations with the FSA (now FCA) I then became more aware of other maleficent practices in the industry, and learning what I have about cybercrime in the last year has really opened my eyes to the ever increasing ease with which these could be carried out.



Artificial intelligence and security

Within the field artificial intelligence, there are many tools which we can use in the security world. On the offensive side, you have fuzzing and guessing credentials; defensively, you can have a smarter IDS. The tools are not difficult to understand or learn, either; this talk will introduce two main ideas, metaheuristic search and neural nets, show you how you can code them up, and highlight some examples of how they've been used in the real world to break and fix things.


Edward Bowles

I'm a PhD student at the University of York, working on applying metaheuristic search to breaking crypto. I like fixing broken things and picking locks.



Journey into hunting the attackers

An attacker can use a number of tools and techniques to retrieve credentials without triggering Anti-Virus programs, these include built-in Windows Operating System commands or popular attacker tools with the aim of being as stealthy as possible. This talk will aid an Investigator to identify the artefacts on the File System and analyse Memory dumps for malicious activity.


Asif Matadar

Asif works for MWR InfoSecurity as an Incident Response Consultant working in the Investigations and Incident Response Practice, responding to and containing security incidents for their clients, with a particular focus on advanced targeted attacks along with covering a wide range of areas including Digital Investigations, Threat Intelligence, and guiding their clients through the implementation of response procedures.
Asif was previously working as a Security Systems Engineer at an ISP responding to security related incidents ranging from APT attacks, DoS, DDoS, phishing scams and web defacements to name a few. Working primarily with *NIX systems ranging from complex MySQL clusters, web servers, PF redundancy, DRBD, Corosync, Heartbeat, NFS, RADIUS clusters, Kerberos, LDAP, Asterisk and Load Balancing.



Who uses LOIC these days anyway?

Over the past 10 – 15 years, Distributed Denial of Service (DDoS) attacks have grown alongside the development of the internet. Today, DDoS attacks are a mainstream threat towards organisations and governments across the globe, highly influencing their design and operation. With an ever evolving world in which the Internet continues to become more and more prominent, and the Internet of Things threatening to take over the world, the landscape for potential DDoS attacks is growing larger by the day.
With the ability to knock major internet services offline, and even result in Internet slowdown, DDoS attacks are a commonly misunderstood yet highly effective form of cyber-attack. During this talk I will discuss the various categories of DDoS attack, outlining their characteristics, requirements and impact and also touch on the array of various defensive mechanisms that can be employed too.


Matt Watkins

Computer Networks and Security graduate, and twice Cyber Security Challenge masterclass finalist currently working as a Network Intrusion Analyst at MWR InfoSecurity. When I’m AFK, I’m likely to be out riding my bike, climbing, running or doing some other form of physical activity – at least that’s what I like to tell everyone.


press to zoom

press to zoom

press to zoom

press to zoom