OWASP Copenhagen

The Copenhagen local chapter organizes quarterly events to promote OWASP and information security in general.

We (re)started from the OWASP-Denmark local chapter with an initial event on October 25th, 2018.

Events

If interested in giving a talk, please send a message to Alessandro Bruni.

Thursday, April 29, 2021 [meetup]

POST-QUANTUM DIGITAL SIGNATURES

Sahana Sridhar: https://www.linkedin.com/in/sahsridh/

Former IBM Test Specialist and Master of Science from Norwegian University of Science and Technology (NTNU). Sahana will enlighten you on the findings of her master thesis on post-quantum digital signatures based on identification schemes.

THE FAILURES OF NEMID AND THE THREAT OF QUANTUM COMPUTERS

Lars Embøll Nielsen: https://www.linkedin.com/in/qkd/

Lars will take you on a journey through the failures of NemID, the legal landscape of digital signatures in EU and why Quantum Computers can be a threat to the way we currently keep digital signatures secure.

AS ALWAYS…. … you will have the opportunity to ask questions for the participants

Thursday, March 25, 2021 [meetup]

DISCOUNT PHISH BURN BETTER and USER MODE API HOOKS AND BYPASSES

Note: THIS IS AN ONLINE EVENT! Link to stream will be released here prior to the event.

THE SPEAKER

Magnus Stubman, Security Advisor at Improsec and former security consultant at F-Secure and Zacco. https://www.linkedin.com/in/magnusstubman/

Magnus started his career as a software developer and later turned his attention to Cyber Security, specifically attack and penetration testing, both digital and physical. Today Magnus specialize in Red Teaming.

Magnus will do something we haven’t facilited in OWASP CPH before - He will do a double-presentation - to take you on a technical security ride.. Keep reading to learn more…

Thursday, February 18, 2021 [meetup]

SIEM and Elasticsearch for absolute beginners

Curious about SIEM and/or Elastic? You heard about it, but don’t really know what it is? You know what it is, but curious about what to do next? This is the talk for you! We will have a few subjects for you:

  • SIEM as a concept
  • Elastic as platform and it’s usability
  • Introduction to Elastic SIEM
  • Introduction to TheHive - a security incident response platform that can help you get the most out of your Elastic platform.

Elastic is available for free - so is TheHive. So everybody can be on board here.

Tuesday, February 16, 2021 [meetup]

Mød Alexander Krog, en af Lyrebirds ethical hackers (OWASP youth event)

Disclaimer: the event will be in Danish, targeted at students 15-25 years old. Everyone is welcome to participate.

Har du altid undret dig over hvordan livet som professionel hacker er? Måske vil du gerne være én? Mød Alexander Krog, som sammen med sit hold af hackere ”Lyrebirds” opdagede “Cablehaunt”, en kritisk sårbarhed som var i stand til at give hackere adgang til modems rundt omkring i hele verden, hvilket potentielt ville have katastrofale konsekvenser. Alex vil fortælle sin historie, hvordan han endte op som en der professionelt finder IT-sikkerhedsmæssigfe sårbarheder, hvordan de fandt det nævnte sikkerhedshul. Alex deler sit indblik og erfaring indenfor IT-sikkerheds verdenen. Efterfølgende stiller Alex op til alle dine spørgsmål på YouTube.

January 21st, 2021 [meetup]

As we move into this mid- and post-pandemic world with remote and in-office work blending, what must organizations consider, in order to sustain data and application security and privacy while still considering an efficient working- and user experience? How does remote work change the security stack mix? And what’s still missing?

We will also be diving into how innovation in cyber became a must and how that can and will support companies and users on a daily basis.

YOUR PANELISTS ARE

Lone Juul Dransfeldt Christensen, Senior Security Architect at Bang & Olufsen. Formely in NNIT and the Danish Police. https://www.linkedin.com/in/ldransfeldt/

Martin Clausen, Chief Security Architect, Head of Architecture, Research and Development at Saxo Bank. Former Head of Cyber Innovation Labs at Danske Bank. https://www.linkedin.com/in/martin-clausen/

Luke Herbert-Andersen, PhD in Computer Science. https://www.linkedin.com/in/lukeherbert/

Oksana Kulyk, Assistant Professor, Center for Information Security and Trust, IT-Universtiy of Copenhagen. Co-PI of the ASCD project (Assessment on the Status of CyberSecurity in Denmark). https://twitter.com/okskulyk/

December 10th, 2020 [meetup]

Tim Sloth Jørgensen

Program chief for cybersecurity in the Danish Industry Foundation, Chief Strategy Officer of Defence and Security at Terma A/S, advisor to the Danish Ministry og Defence, professor at Copenhagen Business School, former Chief of the Danish Defence. https://www.linkedin.com/in/tim-sloth-jorgensen-3b199a23/

Tim will share his insights based on several years of first-hand experience, and will tell us about what they are looking for when investing in new cybersecurity projects - What is he anticipating? Is he hopeful or concerned for the future?

Rasmus L. Fruergaard-Pedersen, Security Software Engineer at Kamstrup

(https://www.linkedin.com/in/rfruergaard/)

Rasmus enables the business to use security correctly. Innovation in software, sensors and communications is what the company Kamstrup is associated with, but how do they ensure a sufficient security stance across a business spanning that wide? Rasmus will talk briefly about technical security champions, business security principles and how to ensure a common understanding of what security is acceptable.

What will you learn from this talk? Translating technical security to business risk; Making security a competitive parameter; Questions to ask when wanting to secure a product in a complex business environment.

November 18th, 2020 [meetup]

A Night of Fraud and Deception

This time we will be focusing on fraud - primarily past, present and future of fraud and related crime in Denmark. The event will feature talks from Sune Gabelgård, Fraud Crusader at https://www.mobilepay.dk/ and Ketil Clorius, Head of Global Fraud Management at https://danskebank.dk/. We’ll talk about juicy, crazy mindblowing case studies and methods used by threat actors. History and future will also be touched upon.

May 5th, 2020 [meetup]

“Going Phishin’ with GoPhish” by Alethe Denis and Patrick Laverty

Want to learn how to put together a phishing campaign? Great, let’s do it. We will use the free and open-source tool GoPhish to launch campaigns. We’ll show how to install, set up GoPhish, create each of the necessary pieces and launch. We’ll also talk about pretexts and how “mean” should we be, and mix in some stories of phishing successes and failures.

April 16th, 2020 [meetup]

Claus Vesthammer

Ethics and philosophy, politics and procedures. Experiences with the framework of responsible disclosure, positive and negative from the real world. Common problems regarding detection of vulnerabilities vs. hacking.

Magnus K Stubman

Magnus will then provide a quick introduction to finding file permissions and privileged escalation vulnerabilities (DLL hijacking, etc.) in Windows with procmon, accessenum, ghidra and IOninja. And review related selected CVEs, our own and others.

Sticks & Stones, Breaking Bones, by Lucas Lundgren

Experiences in pentesting medical devices, including DICOM and PACS machines. References here: https://www.linkedin.com/pulse/sticks-stones-breaking-bones-lucas-lundgren/ https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/

January 30th, 2020 [meetup]

Clickshare [slides]

Dmitry Janushkevich from F-Secure will talk about major vulnerabilities found in ClickShare. More info on https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/

Cable haunt: [slides]

Researchers (mostly) from Lyrebirds found critical vulnerabilites found in various cable modems. They will talk about what they found and a bit on how. More info at https://cablehaunt.com/. Prior to the meeting it’s possible to join #chapters-copenhagen in the OWASP slack (invite link below) and ask questions and suggest topics to cover. So please do so.

DMARC (and friends): [slides]

Dennis Kjær Jensen (or just SiGNOUT) will tell you about DMARC, SPF and all the other email extending security features that you simply have to have enabled on your domain to not look to much like a fool now that it’s 2020 and those vulnerabilities have been around forever now. After that Kevin Kruse will tell you what he has done to secure his own email domain (via Proton Mail) and hopefully inspire you to do the same.

36c3 wrap-up: [slides]

Denis Smajlović will tell us about his (mis)adventures on his recent trip to Leipzig and 36c3.

Backdoors & Breaches:

Klaus Agnoletti will introduce you to ‘Backdoors & Breaches’, a card game designed to train the incident response process. After pizza I’ll set up a few gaming sessions. If you got a game at BSides København already, please bring it along with a 20-sided dice. If you don’t have it, fear not, I have a few games left that I’ll give away.

November 25th, 2019 [meetup]

Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web

Speaker: Alex Halderman

Abstract: Let’s Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let’s Encrypt has grown to become theworld’s largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let’s Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME,the IETF-standard protocol we created to automate CA–server inter-actions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let’s Encrypt’s impact on the Web and the CA ecosystem. We hope that the success of Let’s Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.

Social Engineering For Physical Intrusions

Speaker: Sarka “the pirate queen”

Objectives: Objective is to let people understand what are different social engineering exploits that can be used against them, their employees or their loved ones. After holistic approach of different human attack vectors I use for my social engineering attacks for physical intrusions, I will step to the defensive side to let the audience understand what controls to put in place to stop a real malicious attackers.

Description: Social Engineering has many different faces from using open source intelligence (OSINT), phishing, vishing, smishing and all the other ‘-ishings’,dropping weaponized USB flash drives to eventually getting right in middle of your target’s own office! As there are many tools and described ways of all the -ishings, but almost all of them do not require any interaction with target. And I would like to focus on physical intrusions. If you are interested how I break into buildings like a pirate queen, I will explain how to interact with our target directly and that requires certain knowledge of techniques and skills.

There are many different skills and techniques while approaching a human target and testing their security. I would like to look at different human attack vectors.I also look at how to use this knowledge to not only understand world around us and better our own situational awareness, but I also explain why this is a fun topic we should teach our employees that would help with defending our company but also our loved ones. I like to uncover my offensive thinking while using facial expressions , body language or psychology research but I also see myself though someone else’s eyes, who’s daily bread is defending networks and tries to understand human factor while deploying defense in depth at work.

August 29th, 2019 [meetup]

Reporting on BSides Las Vegas and DEF CON

Presenter: Christian Dinesen, NNIT

Approaching Bluetooth in 2019

Presenter: Martin Schroter Abstract: Although Bluetooth has been around for the better part of 30 years, we keep innovating on the technology and new uses are found every year. I want to cover: vulnerabilities in Bluetooth 1 up to 5; understanding the cryptography of Bluetooth; going over the considerations your company needs to make, when you decide to adopt Bluetooth into your infrastructure; know your tools Ubertooth sniffing, btlejuice, btlejack, gattacker; jamming Bluetooth drones mid air! Can we really trust this technology and what are the challenges?

Experiences in OSINT

Presenter: Bjarne Tersbøl, Special Advisor at Konkurrence- og Forbrugerstyrelsen / Danish Competition and Consumer Autority

May 27th, 2019 [meetup]

Security in LPWAN IoT, a comparison (SigFox, LoRaWaN, NB-IoT)

Name: Florian Coman Bio: Security Analyst at TDC, MSc in Telecommunication at DTU Abstract: I’ve investigated the security features and possible vulnerabilities of some LPWAN IoT technologies: the license-free SigFox and LoRaWAN and the cellular NB-IoT. I have looked at their End-to-End architecture (from end-device to application server) and I will present some of my findings during the talk.

“Just Hacker Things with Jayson”

Name: Jayson E. Street (http://jaysonestreet.com/) Abstract: Instead of a usual talk, this will be an open discussion. He will share several stories of his travels & exploits (focused around Social Engineering where Jayson has mnay years of experience) but mostly will be there to answer questions about hacking, blue team, red team and DEF CON Groups! So come with questions and expect a few answers and a lot of great hugs!

March 28th, 2019 [meetup]

XSSER: From XSS to RCE 3.0 [slides]

Abstract: This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes more payloads for common web apps and various other improvements too!”
Author: Hans-Michael Varbaek / TDC Group

October 25th, 2018 [meetup]

An ice-cold Boot to break BitLocker [slides]

Authors: Olle Segerdahl & Pasi Saarinen / F-Secure

Sponsors

Local News

Meeting Locations: IT University of Copenhagen, Copenhagen Business School

Everyone is welcome to join us at our chapter meetings.