This year’s BSides Lisbon 2018 (5th Edition) broke new records in attendance (400 participants!) and Crossjoin was once again present.
Text by: Tiago Alcobia
The organizers really stepped it up this year introducing some great new additions to Lisbon’s version of BSides.
The format of two days (with two room tracks) was kept but the location moved, this year, from Microsoft’s headquarters to ISCTE University Campus. Some talks were converted into Keynotes which presented cyber-security topics with a broader perspective.
The theme that stood out this year was how we can automate cyber security auditing, prevention an incident response when faced with ever increasing number of diverse and sophisticated cyber security attacks and a lack of cyber security experts.
It was said that we are truly in the golden age to enter the cyber security area and create new companies around this expertise or service.
Regardless of size, companies also started to pay even more attention to the consequences of cyber security attacks with the introduction of GDPR this year and the negative publicity Facebook, Google and others received with recent user data breaches.
The general public also started to pay more attention to the importance of data privacy and identity theft. Some tools/platforms such as probe.ly, thehive, Nessus and Patrowl were explored and a custom platform developed in-house (at Siemens) demonstrated how machine learning/data science can help in accurately detect and prevent attacks at a large scale.
Cyber attacks to mine crypto-currency had a large increase last year coinciding of course with the media attention and profit this topic generated. Although this year media attention decreased regarding Ransomware (remember WannaCry and Petya in 2017?) the number of cases vastly increased this year.
2018 also saw large media attention regarding hardware hacking, namely with the CPU (Spectre and Meltdown) vulnerabilities being disclosed at the start of the year raising particular concern on the attack surface on cloud infrastructure.
The recent allegations on compromised hardware from supermicro also raised awareness about the interceptions and manipulations that can occur along the hardware supply chain and distribution. Government agencies are particular fans of this method.
Mobile malware and mobile telecommunications vulnerabilities (see SS7 vulnerability and Stingray spying) was also also a topic of discussion in some talks this year.
On the social side, BeerSidesLisbon and Pastel de Nata O’Clock was kept again this year which are always great moments to discuss with the panelists about their presentations and meetup with colleagues from other companies/clients.
The exhibition area, where cyber-security companies have individual stands where they can display their services, was a feature again this year but something new was introduced by the organizers to increase the engagement from participants.
Each BSides participant received a piece of paper that, if stamped by each one of the stands, made the participant eligible for a prize lottery.
The companies present also encouraged interaction by showing Demo’s of their products, distributing merchandising or in one instance having a claw crane game machine! which allowed each participant a free shot at pulling out a plush toy prize.
Each year we also look forward to what the conference access badge will look like.
This year the badge had a DYI element thanks to Steve Lord who was a also a panelist. Similar to other BSides throughout the world, the idea is that you solder parts on a circuit board, that you receive upon registration, and make your badge come alive. Great fun!
Another very creative challenge that was launched during the event was a “hack the machine” contest. The setup was a RFID card that each participant received upon registration and a RFID reader connected to a screen.
The aim was to successfully swipe the card on the RFID reader and make the screen display “You are Elite”. The RFID card type was of course an early generation one which has known vulnerabilities.
Parallel to the talks there were the usual workshop sessions (hands-on specific topics) and the CTF (Capture the Flag) competition which pits teams against each other in answering trivia questions or executing practical hacking challenges to win prizes. During the closing ceremony, the challenges and respective solutions are all revealed which is always fun since some are very creative.
Congratulations to the organizers of BSides who put so much energy into making sure the Lisbon chapter of BSides grows better each year. They really take their customer satisfaction surveys seriously.
So what can we expect from next year in Cyber-security?
How much will IOT device vulnerability, cloud infrastructure exploitation and browser vulnerabilities become a media topic in 2019?
What new man in the middle, botnet and malware attacks will surface?
Which crypto exchanges sites will be compromised?
What new data breaches will media pick up?
Will developers start to pay more attention in including security from the early design stages of their solutions? This is specially important in the industrial sector that use a lot of niche/custom build devices where security was, in many cases, not considered in the design.
What new developments will we see in the government cyberwars?
See you next year!
Main page of the event: https://www.bsideslisbon.org/
Youtube playlist recorded sessions: https://t.co/T2xyJ3vV3d
Twitter page: https://twitter.com/bsideslisbon?lang=en
Facebook page: https://www.facebook.com/Bsideslisbon/
More about BSides events: https://en.wikipedia.org/wiki/Security_BSides