Presentations

Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the…

Alex Plaskett (@alexjplaskett) presented a talk on the 10th of August 2023 at @SysPWN covering vulnerability research for Pwn2Own. The first section of the talk covered a high-level perspective of the event, personal history, and teams. It then discussed some considerations needing to be made when deciding on target, experiences,…

Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS on the 20th April 2023. The talk showcased NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective.  The talk also described how we compromised…

Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool. Download our slides

Agenda The role of the BIOS Attacking a legacy BIOS Limitations of the legacy BIOS Introduction to the EFI environment Attacking the EFI environment UEFI, summary and conclusions Some Caveats… This talk is about rootkit persistenceThis persistence How to deploy a rootkit from the BIOS/EFIHow EFI Not concerned with what…

Objectives Discuss current “threat landscape” Introduce a new class of vulnerability Introduce a new method of attack Show practical demonstrations Look at some defences Download presentation Author: David Litchfield

Agenda Recap of ACPI BIOS rootkit and limitations Brief overview of the PCI Bus Abusing expansion ROMs Abusing PXE Detection, Prevention and the TPM Summary and conclusions Download presentation Author: John Heasman

The Past, Present and Future of Database Security In 2006 there were 335 publicized data breaches in the U.S. So far in 2007 there have been 276. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on…

VoIP Security Issues The issues brought up in VoIP security and throughout this presentation are not new and are not a surprise. Telephony experience and IP experience combined with a security focused mindset are enough to combat these issues. There is a lot of public coverage of VoIP issues, however…

These slides are from David Middlehurst’s presentation at the BSides Manchester conference. The presentation includes information on a new open source tool called ‘UPnP Pentest Tookit’. Download Presentation

These slides are from Jerome Smith’s presentation at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible). Download presentation

These slides are from Robert Ray’s presentation at the Trust Forum in Edinburgh. The presentation looks at the common social engineering tactics and provides hints and tips on how to detect, prevent and respond to a social engineering attack. Download presentation

Ben Williams, security consultant at NCC Group, presented his talk, External Enumeration and Exploitation of Email and Web Security Solutions at Black Hat USA. He also produced two whitepapers which include statistical analysis of the filtering products, services and policies used by some of the world’s top companies. Download presentation…

These slides are from Panagiotis Gkatziroulis’ presentation at the Trust Forum in London. It looks at the common social engineering methods, tools and mitigation involved in social engineering attacks. Download presentation

These slides are from Shaun Jones’ presentation at the Trust Forum in Manchester. He gave examples of real-life phishing attacks and provided tips on how you can protect yourself. Download presentation

These slides are from David Cannings presentation at the 44CON Breakfast Briefing. The talk is titled Automating extraction from malware and recent campaign analysis, and includes an overview of some recent targeted campaigns. Download presentation

DDoS Common Approaches and Failings This webinar looks at the reasons that DDoS mitigation may not be working and what you should be thinking about to protect your business from a DDoS attack, including examples of some testing we have done and common approaches. Download presentation

These slides are from Rory McCunes’ presentation at the Trust Forum in Edinburgh. In his presentation he looked at everything from celebrity hacking to the Heartbleed bug can be explained by a lack of context, and what you can do to avoid the trap of absolute security. Download presentation

These slides are from Irene Michlin’s presentation at the Trust Forum in London. It looked at how much training staff should have on cyber security. Download presentation

Andy Davis, research director at NCC Group, delivered this presentation at the  escar Embedded Security in Cars Conference in Hamburg. His talk focused on how USB security affects embedded systems within vehicles. It covered an overview of USB basics and some classic examples of where vulnerabilities have been previously identified.…

Cyber Essentials Scheme These slides are from Matt Storey’ presentation at the Trust Forum in Manchester. He discussed what Cyber Essentials is, who it is for and the benefits it has to your organisation. Download presentation

This webinar talked through the changes to the new PCI SSC version 3.0 standard in detail and how they will affect your business, the things you need to be thinking about now and the timescales in which you have to react to the changes. Download our presentation Download the presentation…

David Cannings, Principal Consultant at NCC Group, delivered a fantastic webinar on four key considerations when building a robust incident response plan.  The webinar covered: An introduction – why a plan is needed What the risks are Four key considerations Case studies for each consideration More resources on incident response…

These slides are from David FB.Page presentation at the Manchester Trust Forum. The presentation includes information on cloud security and how the different types of cloud implementations could affect your organisation’s security. Download presentation

These slides were presented as part of the SMACK, SKIP-TLS FREAK SSL/TLS vulnerabilities webinar series Our Technical Director, Ollie Whitehouse covered: High level overview of the threat Impact of the threat What is affected/impacted by it Details on how the exploitation works Details on Man in the Middle How to…

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions These slides come from Andy Davis’ presentation at Black Hat USA 2013. Andy’s presentation covers the topic of using techniques to analyse USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed…

This presentation about maritime cyber security, delivered at the CIRM Annual Meeting in Cyprus, looks at the cyber threats to the maritime industry, an overview of the attack surface, the impact of some of the risks they face and a look at what solutions are available in the short, medium…

This presentation about the “lameness of passwords” was delivered by Ben Williams, senior security consultant at NCC Group, at the 44Con Café event at the IP Expo in Manchester. Williams talked about his experience of breaking into networks and applications with a variety of password attack tools and techniques. It…

These slides are from Matt Storey’s presentation at the Edinburgh Trust Forum. This presentation looks at security testing frameworks, the scheduling aspects of the various forms of testing and other options, such as using STAR or red team assessments to test gaps in IT security controls. Download presentation

These slides are from Jason Geffner’s presentation “Exporting Non-Exportable RSA Keys” that he presented at Black Hat Europe in 2011. In this presentation Jason will cover security issues surrounding RSA keys and Digital Certificates. Download presentation To read the white paper that accompanies these slides click here.

Broadcasting your attack – DAB security This presentation was presented at Black Hat USA 2015  Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are often integrated into what has become known as the “infotainment system” – typically a large screen in the dashboard that…

These slides are from a presentation, “The Role of Security Research in Improving Cyber Security” by Andy Davis. The presentation discusses the role of security research in helping to improve cyber security.  Download presentation

Matt Lewis, associate director at NCC Group presented a talk at the Oredev conference in Sweden on how self-driving cars is no longer science fiction. Investment is already being made into this area and commercially available vehicles will be available in the next decade. Matt’s talk discusses the possibilities and…

These slides are from Ben Williams’ presentation “They ought to know better: Exploiting Security Gateways via their Web Interfaces”, that he presented at Black Hat Europe in 2012. In this presentation Ben will discuss the 40+ exploits that have been discovered and ways that some of these can be used…

In this presentation Ollie Whitehouse will be discussing How to develop or purchase COTS mobile apps for my enterprise while ensuring security.  Download presentation

These slides come from Alex Stamos Tom Ritter’s presentation, “The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet” from Black Hat USA in 2012. In this presentation will cover the new changes to the internet’s infrastructure and the concerns around this. Download presentation

These slides come from Justine Osborne Alban Diquet’s presentation from Black Hat USA 2012. In this presentation they will explain what certificate pinning is and how it works in the IOS and Android systems. Download Presentation

These slides come from Andy Davis’ presentation from Black Hat USA in 2011. In this presentation Andy will discuss some of the security vulnerabilities around using USBs and the impact these vulnerabilities could have on your organisation.  Dowload Presentation There is also a white paper on this subject, you can…

These slides come from Ollie Whitehouse’s presentation “Software Security Austerity Security Debt in Modern Software Development” that he gave at 44Con in 2012. In this presentation Ollie will explain software security debt and ways that this debt can be managed. Download presentation

These slides are from Ollie Whitehouse’s presentation from the 2012 RSA Conference, eFraud Global Forum in London. In this presentation Ollie will discuss some of the big trends in mobile security form 2012, providing some technical details and real world examples, and then he will give his predictions for threats…

These slides are from Ollie Whitehouse’s presentation from Hack in the Box in Kuala Lumpur. In the presentation Ollie will discuss the What, Why and How of discovering weak link in binaries.  Download presentation

These slides come from Andy Davis’ presentation from BlackHat Europe 2013. In this presentation he will explain why docking stations are an attractive target for an attacker, how they can be attacked and discuss ways to detect and prevent such attacks.  Download Presentation You can also read the white paper…

These slides come from Marc Blanchou’s presentation at Black Hat Europe, Harnessing GP Us: Building Better Browser Based Botnets. In the presentation Marc discusses Harnessing GPUs with browser-based botnets for distributed and cheaper cracking, and will consider botnet impact, cost, stealth requirements and portability when building better browser based botnets.…

Many people are unaware that video displays send data which is then processed by the connected device and that this data can contain security threats. This paper aims to act as a useful introduction to the technologies involved in video interfacing, the potential for security vulnerabilities and ways to test for their…

These slides come from Andy Davis’ presentation “What the HEC? Security implications of HDMI Ethernet Channel and other related protocols” that was given at 44Con in 2012. In this presentation Andy discusses the importance of and security issues surrounding, HDMI, the CEC protocol and the HEC protocol.   Download our slides…

These slides are supporting documentation used as part of a 44CON workshop we held in September 2013 which was delivered by Bernardo Damele on assessing and securing iOS apps. Download Presentation

Over a series of Webinars Rob Chahin of NCC Group presented on the changes to PCI DSS from V2.0 to V3.0. The presentation will explain the changes to requirements that will be implemented from version 2.0 to version 3.0.  Download presentation

NCC Group Research Director Andy Davis presented on The Mobile Internet of Things and Cyber Security at this year’s Mobile World Congress in Barcelona. The presentation covered how everything from rubbish bins to refrigerators have been in the spotlight recently from a security point of view and the key things…

These slides come from a presentation given by Matt Summers at the Cyber Security Breakfast Meetings for Industry in February. “Security is big business, with new threats emerging every day and companies offering software and services to mitigate these threats securing your network can be expensive. No one has an…

NCC Group Research Director Andy Davis presented ‘USB Attacks Need Physical Access Right? Not Any More…’ at this year’s BlackHat Asia in Singapore. Due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk went into detail about how these…

We showcased at a client’s corporate event how we technically assess and breach network infrastructures, before attackers do. Throughout the talk a number of questions were answered: what network design mistakes and defective assumptions lead to security breaches? What are the weakest entry points of your network perimeter? How do…

NCC Group’s Thomas MacKenzie delivered this live demo on how to hack websites during the NCC Group website performance and optimisation day. Download presentation

These slides are from Andy Davis’ presentation at the European Dynamic Positioning Conference in London. The presentation looks at the cyber threats facing dynamic positioning operations, along with some short-term solutions to increase levels of cyber security. Download presentation

These slides are from Yevgen Dyryavyy’s presentation at the Smart Operations summit in Hong Kong. The presentation, Threats and vulnerabilities within the Maritime sector, features excerpts from the whitepaper he recently authored about the potential weaknesses within Electronic Chart Display and Information Systems and shipboard networks. It also features a…

Andy Davis, NCC Group’s Research Director presented Fuzzing the Easy Way Using Zulu at the 2014 Nullcon conference in Goa, India. The presentation describes how Zulu has been successfully used to discover high profile bugs and details the motivations for developing the tool.