Presentations
HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective. The talk also described how we compromised…
Fuzzing the Easy Way Using Zulu
Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool. Download our slides
Hacking the Extensible Firmware Interface
Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…
Advanced Exploitation of Oracle PL/SQL Flaws
Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield
Firmware Rootkits: The Threat to the Enterprise
Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman
Database Security: A Christmas Carol
The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…
VoIP Security Methodology and Results
VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…
U plug, we play
These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation
SSL checklist for pentesters
These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation
Dissecting social engineering attacks
These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation
External Enumeration and Exploitation of Email and Web Security Solutions
Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…
Social Engineering
These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation
Phishing Stories
These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation
Automating extraction from malware and recent campaign analysis
These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation
DDoS Common Approaches and Failings
DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation
Absolute Security
These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation
How much training should staff have on cyber security?
These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Andy Davis, research director at NCC Group, delivered this presentation at the escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…
Cyber Essentials Scheme
Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation
Webinar – PCI Version 3.0: Are you ready?
This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…
Webinar: 4 Secrets to a Robust Incident Response Plan
David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan. The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…
Cloud Security Presentation
These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…
Maritime Cyber Security: Threats and Opportunities
This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…
The L4m3ne55 of Passw0rds: Notes from the field
This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…
Mature Security Testing Framework
These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation
Exporting non-exportable RSA keys
These slides are from Jason Geffner’s presentation “Exporting Non-Exportable RSA Keys” that he presented at Black Hat Europe in 2011. In this presentation Jason will cover security issues surrounding RSA keys and Digital Certificates. Download presentation To read the white paper that accompanies these slides click here.
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015 Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…
The role of security research in improving cyber security
These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security. Download presentation
Self-Driving Cars- The future is now…
Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…
Mobile apps and security by design
In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security. Download presentation
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation
USB Undermining Security Barriers:further adventures with USB
These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation. Dowload Presentation There is also a white paper on this subject, you can…
Software Security Austerity Security Debt in Modern Software Development
These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation
RSA Conference – Mobile Threat War Room
These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…
Finding the weak link in binaries
These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries. Download presentation
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks. Download Presentation You can also read the white paper…
Harnessing GPUs Building Better Browser Based Botnets
These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…
Hacking Displays Made Interesting
Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
These slides come from Andy Davis’ presentation “What the HEC? Security implications of HDMI Ethernet Channel and other related protocols” that was given at 44Con in 2012. In this presentation Andy discusses the importance of and security issues surrounding, HDMI, the CEC protocol and the HEC protocol. Download our slides…
44CON Workshop – How to assess and secure iOS apps
These slides are supporting documentation used as part of a 44CON workshop we held in September 2013 which was delivered by Bernardo Damele on assessing and securing iOS apps. Download Presentation
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Over a series of Webinars Rob Chahin of NCC Group presented on the changes to PCI DSS from V2.0 to V3.0. The presentation will explain the changes to requirements that will be implemented from version 2.0 to version 3.0. Download presentation
Mobile World Congress – Mobile Internet of Things
NCC Group Research Director Andy Davis presented on The Mobile Internet of Things and Cyber Security at this year’s Mobile World Congress in Barcelona. The presentation covered how everything from rubbish bins to refrigerators have been in the spotlight recently from a security point of view and the key things…
Practical SME security on a shoestring
These slides come from a presentation given by Matt Summers at the Cyber Security Breakfast Meetings for Industry in February. “Security is big business, with new threats emerging every day and companies offering software and services to mitigate these threats securing your network can be expensive. No one has an…
BlackHat Asia USB Physical Access
NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these…
How we breach network infrastructures and protect them
We showcased at a client’s corporate event how we technically assess and breach network infrastructures, before attackers do. Throughout the talk a number of questions were answered: what network design mistakes and defective assumptions lead to security breaches? What are the weakest entry points of your network perimeter? How do…
Hacking a web application
NCC Group’s Thomas MacKenzie delivered this live demo on how to hack websites during the NCC Group website performance and optimisation day. Download presentation
Batten down the hatches: Cyber threats facing DP operations
These slides are from Andy Davis’ presentation at the European Dynamic Positioning Conference in London. The presentation looks at the cyber threats facing dynamic positioning operations, along with some short-term solutions to increase levels of cyber security. Download presentation
Threats and vulnerabilities within the Maritime and shipping sectors
These slides are from Yevgen Dyryavyy’s presentation at the Smart Operations summit in Hong Kong. The presentation, Threats and vulnerabilities within the Maritime sector, features excerpts from the whitepaper he recently authored about the potential weaknesses within Electronic Chart Display and Information Systems and shipboard networks. It also features a…