OWASP Copenhagen

The Copenhagen local chapter organizes quarterly events to promote OWASP and information security in general.

We (re)started from the OWASP-Denmark local chapter with an initial event on October 25th, 2018.

Events

If interested in giving a talk, please send a message to Alessandro Bruni.

November 18th, 2020 [meetup]

A Night of Fraud and Deception

This time we will be focusing on fraud - primarily past, present and future of fraud and related crime in Denmark. The event will feature talks from Sune Gabelgård, Fraud Crusader at https://www.mobilepay.dk/ and Ketil Clorius, Head of Global Fraud Management at https://danskebank.dk/. We’ll talk about juicy, crazy mindblowing case studies and methods used by threat actors. History and future will also be touched upon.

May 5th, 2020 [meetup]

“Going Phishin’ with GoPhish” by Alethe Denis and Patrick Laverty

Want to learn how to put together a phishing campaign? Great, let’s do it. We will use the free and open-source tool GoPhish to launch campaigns. We’ll show how to install, set up GoPhish, create each of the necessary pieces and launch. We’ll also talk about pretexts and how “mean” should we be, and mix in some stories of phishing successes and failures.

April 16th, 2020 [meetup]

Claus Vesthammer

Ethics and philosophy, politics and procedures. Experiences with the framework of responsible disclosure, positive and negative from the real world. Common problems regarding detection of vulnerabilities vs. hacking.

Magnus K Stubman

Magnus will then provide a quick introduction to finding file permissions and privileged escalation vulnerabilities (DLL hijacking, etc.) in Windows with procmon, accessenum, ghidra and IOninja. And review related selected CVEs, our own and others.

Sticks & Stones, Breaking Bones, by Lucas Lundgren

Experiences in pentesting medical devices, including DICOM and PACS machines. References here: https://www.linkedin.com/pulse/sticks-stones-breaking-bones-lucas-lundgren/ https://techcrunch.com/2020/01/10/medical-images-exposed-pacs/

January 30th, 2020 [meetup]

Clickshare [slides]

Dmitry Janushkevich from F-Secure will talk about major vulnerabilities found in ClickShare. More info on https://labs.f-secure.com/advisories/multiple-vulnerabilities-in-barco-clickshare/

Cable haunt: [slides]

Researchers (mostly) from Lyrebirds found critical vulnerabilites found in various cable modems. They will talk about what they found and a bit on how. More info at https://cablehaunt.com/. Prior to the meeting it’s possible to join #chapters-copenhagen in the OWASP slack (invite link below) and ask questions and suggest topics to cover. So please do so.

DMARC (and friends): [slides]

Dennis Kjær Jensen (or just SiGNOUT) will tell you about DMARC, SPF and all the other email extending security features that you simply have to have enabled on your domain to not look to much like a fool now that it’s 2020 and those vulnerabilities have been around forever now. After that Kevin Kruse will tell you what he has done to secure his own email domain (via Proton Mail) and hopefully inspire you to do the same.

36c3 wrap-up: [slides]

Denis Smajlović will tell us about his (mis)adventures on his recent trip to Leipzig and 36c3.

Backdoors & Breaches:

Klaus Agnoletti will introduce you to ‘Backdoors & Breaches’, a card game designed to train the incident response process. After pizza I’ll set up a few gaming sessions. If you got a game at BSides København already, please bring it along with a 20-sided dice. If you don’t have it, fear not, I have a few games left that I’ll give away.

November 25th, 2019 [meetup]

Let’s Encrypt: An Automated Certificate Authority to Encrypt the Entire Web

Speaker: Alex Halderman

Abstract: Let’s Encrypt is a free, open, and automated HTTPS certificate authority (CA) created to advance HTTPS adoption to the entire Web. Since its launch in late 2015, Let’s Encrypt has grown to become theworld’s largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let’s Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME,the IETF-standard protocol we created to automate CA–server inter-actions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let’s Encrypt’s impact on the Web and the CA ecosystem. We hope that the success of Let’s Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.

Social Engineering For Physical Intrusions

Speaker: Sarka “the pirate queen”

Objectives: Objective is to let people understand what are different social engineering exploits that can be used against them, their employees or their loved ones. After holistic approach of different human attack vectors I use for my social engineering attacks for physical intrusions, I will step to the defensive side to let the audience understand what controls to put in place to stop a real malicious attackers.

Description: Social Engineering has many different faces from using open source intelligence (OSINT), phishing, vishing, smishing and all the other ‘-ishings’,dropping weaponized USB flash drives to eventually getting right in middle of your target’s own office! As there are many tools and described ways of all the -ishings, but almost all of them do not require any interaction with target. And I would like to focus on physical intrusions. If you are interested how I break into buildings like a pirate queen, I will explain how to interact with our target directly and that requires certain knowledge of techniques and skills.

There are many different skills and techniques while approaching a human target and testing their security. I would like to look at different human attack vectors.I also look at how to use this knowledge to not only understand world around us and better our own situational awareness, but I also explain why this is a fun topic we should teach our employees that would help with defending our company but also our loved ones. I like to uncover my offensive thinking while using facial expressions , body language or psychology research but I also see myself though someone else’s eyes, who’s daily bread is defending networks and tries to understand human factor while deploying defense in depth at work.

August 29th, 2019 [meetup]

Reporting on BSides Las Vegas and DEF CON

Presenter: Christian Dinesen, NNIT

Approaching Bluetooth in 2019

Presenter: Martin Schroter Abstract: Although Bluetooth has been around for the better part of 30 years, we keep innovating on the technology and new uses are found every year. I want to cover: vulnerabilities in Bluetooth 1 up to 5; understanding the cryptography of Bluetooth; going over the considerations your company needs to make, when you decide to adopt Bluetooth into your infrastructure; know your tools Ubertooth sniffing, btlejuice, btlejack, gattacker; jamming Bluetooth drones mid air! Can we really trust this technology and what are the challenges?

Experiences in OSINT

Presenter: Bjarne Tersbøl, Special Advisor at Konkurrence- og Forbrugerstyrelsen / Danish Competition and Consumer Autority

May 27th, 2019 [meetup]

Security in LPWAN IoT, a comparison (SigFox, LoRaWaN, NB-IoT)

Name: Florian Coman Bio: Security Analyst at TDC, MSc in Telecommunication at DTU Abstract: I’ve investigated the security features and possible vulnerabilities of some LPWAN IoT technologies: the license-free SigFox and LoRaWAN and the cellular NB-IoT. I have looked at their End-to-End architecture (from end-device to application server) and I will present some of my findings during the talk.

“Just Hacker Things with Jayson”

Name: Jayson E. Street (http://jaysonestreet.com/) Abstract: Instead of a usual talk, this will be an open discussion. He will share several stories of his travels & exploits (focused around Social Engineering where Jayson has mnay years of experience) but mostly will be there to answer questions about hacking, blue team, red team and DEF CON Groups! So come with questions and expect a few answers and a lot of great hugs!

March 28th, 2019 [meetup]

XSSER: From XSS to RCE 3.0 [slides]

Abstract: This presentation demonstrates how an attacker can utilise XSS to execute arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload. Custom tools and payloads integrated with Metasploit’s Meterpreter in a highly automated approach will be demonstrated live, including post-exploitation scenarios and interesting data that can be obtained from compromised web applications. This version includes more payloads for common web apps and various other improvements too!”
Author: Hans-Michael Varbaek / TDC Group

October 25th, 2018 [meetup]

An ice-cold Boot to break BitLocker [slides]

Authors: Olle Segerdahl & Pasi Saarinen / F-Secure

Sponsors

Local News

Meeting Locations: IT University of Copenhagen, Copenhagen Business School

Everyone is welcome to join us at our chapter meetings.