Research about the determinants of the cybersecurity behaviours of students. Professor Bertrand Venard (Oxford Internet Institute) conducts a major research project at OII about cybersecurity behaviours. Through empirical research, this project seeks to understand the determinants of individual cyber security behaviours of students in France and the UK. Bertrand Venard will present the main findings of his most recent empirical research.

Professor Bertrand Venard (Oxford Internet Institute) is conducting a major research project at OII about cybersecurity behaviours. Through empirical research, this project seeks to understand the determinants of individual cyber security behaviours of students in France and the UK. Bertrand Venard will present the main findings of his most recent empirical research.

This seminar aims to highlight why the defensive side of security will always be playing catch up to the offensive side. Through demonstrating real world techniques used both ‘in the wild’ and on client engagements, Ruptura InfoSecurity will highlight how even simple custom tooling can defeat the most up to date defensive technologies.

Shevirah founder and CTO Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has presented or conducted training around the world including venues such as NSA, West Point, and Black Hat. Weidman founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices and the Internet of Things (IoT) in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary, an adjunct professor at Tulane University and the University of Maryland University College, a member of the CyberWatch Center's National Visiting Committee, and served as a judge for the FTC’s 2017 Home Inspector IoT security challenge. Weidman is also occasionally an angel investor in cybersecurity startups

- Often the perception is that the security skills gap is for Security Operations Centre Analysts and Pen Testers - However the gap that we have in the industry is much wider - how do we unlock new groups of skills? - What are the soft skills that we are looking for? - How do we train business leaders to understand the business implications of cybersecurity?

Exploitability assessment could facilitate the prioritization of vulnerability remediation. In the past, security researchers and analysts assess exploitability for vulnerabilities by generating exploits manually. These methods involve a tremendous amount of human effort and require significant expertise. In order to solve this problem, automated exploitation approaches are introduced. However, as I will demonstrate in this talk, the effectiveness of existing automated exploitation approaches is limited by many assumptions. For example, the existing approaches mostly assume the state space of the program is limited, no security protection or exploit mitigation is enabled, and the capability of a vulnerability is already known. In this talk, I will introduce three lines of research works to tackle the problem of exploitability assessment without any assumptions. More specifically, I will talk about how we utilize static and dynamic analysis approaches to (1) explore the capability of a vulnerability, (2) pinpoint useful objects to obtain control over necessary registers, and (3) identify general exploitation chains to bypass widely-deployed kernel mitigation. Along with the introduction of these techniques, I will also demonstrate their practical impacts by using real-world vulnerabilities.

A case study of ransomware acquisition, triage, analysis and decryption. Showing the most common flaws within ransomware and how to create decryptors.

The legal context for the protection of electronically stored data and data systems from unlawful interference is a fascinating and developing area that bridges different sources and principles, including common law doctrines and statutory and regulatory standards. With this context in mind, the presentation will assess recent legal developments to attempt to predict legal trends in the field of cyber-security.  The foundation of the current approach is a fast-developing statutory and regulatory framework, most relevantly the important changes implemented under the  EU General Data Protection Regulation (GDPR) framework, which has applied in the UK from 25 May 2018, and similar regimes introduced in other regions and internationally.  By assessing the implementation of regulatory norms, Laura will predict how the regulation against cyber-crime, including controls of crypto-assets, may proceed, particularly in light of the recent FCA Guidance.  Relatedly, there will be an assessment of recent judicial authorities and legal commentary on rights over crypto-assets. The developments include the observations as part of the UKJT consultation, the extra-judicial speech by the Lord Chancellor, the landmark Singapore Supreme Court decision (holding that bitcoin can be the subject of a trust in B2C2 Ltd v Quoine Ltd SGHV), and the English High Court judgment that held that buyers of bitcoin may benefit from protections afforded to consumers (Ang v Reliantco Investments Ltd [2019] EWCH 879 (Comm)). The final part of the presentation will explore recent cases in privacy rights in data, and use this analysis to explore potential future judicial developments. Most relevantly, the issues arising from the Court of Appeal decision of WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 and the subsequent appeal to the Supreme Court, and the expected appeal from Lloyd v Google LLC [2018] EWHC 2599 (QB). To conclude, the presentation will predict developments arising from the case-law and risk mitigation measures that can be implemented to address expected movements in the sector. Laura’s recent blog on the Court of Appeal’s decision can be found here: https://www.law.ox.ac.uk/business-law-blog/blog/2019/10/english-court-appeal-hands-down-eagerly-awaited-judgment-clarifying

Malware analysis is one of the most exciting yet daunting tasks in the security research world. A typical researcher spends countless hours and sometimes days to dissect malware and exploits. To keep up the pace (and sanity) many automation tools have been built to help with different kind of tasks. Usage of such tools brings a massive problem of maintaining working and secure infrastructure. An infrastructure often operated in very hostile environments. This problem causes researchers to spend too much of their time and resources on the infrastructure instead of spending it on their target goal. In this talk, we will learn how every malware analyst can start rapidly using serverless technology to make their life easier. We will dive into a serverless open source project called MalScanBot. Learn how it was built and how it can be used as a template for many other interesting project. Because as a researcher you should always  Focus on your malware, Not Infrastructure.

In August 2018, Jake was given permission from the chief constable of Dorset Police to pen test a police station to see if it was possible to gain entry past secure doors and security officers, specifically into the Intelligence Unit as well as gain access onto the force network unnoticed. He was able to get through every door he tried and then he was able to hack into the Head of Anti-Corruption, change his password and access all of his files. The aim of this experiment was not to ridicule or make an example of the police but to demonstrate the sheer impact on what can be achieved if a targeted attack were to occur. Physical and cyber defences have never been so important so this exercise will hopefully voice vital changes to culture surrounding security among law enforcement and businesses alike.