This site is in the process of being migrated from a previous system. Strange excerpts or content might persist until I clean up the data.

Talks

Conference talks, meetup presentations, and other speaking engagements

Hacking JWTs

Elevator Pitch

JSON Web Tokens are great! Or are they? They're signed, and self-contained payloads of data, but what could go wrong? Come and find out. Live demos of hackery included.

Description

JWTs are secure; they're signed; they're the best thing since sliced bread! So you've adopted them into your applications, and feel much safer. The chances that things will go wrong are slim. Right?

This talk will introduce the ways in which JWT implementations can go wrong, together with live demos, and take you on a journey to understand how to make sure you can trust these handy payloads in your applications and APIs.

Web Application Security

Even the simplest web application has so many vectors of attack, it’s no wonder most people forget at least one. Web applications aren’t stand-alone; they are built upon frameworks, upon platforms, upon core libraries, each of which could suffer from vulnerabilities you’re not only unaware of, you’re statistically unlikely to discover them all. Consider, for example, OpenSSL's infamous “Heartbleed” Bug.

We hear about security vulnerabilities every week, now it’s time to experience them. Find out what the leading concerns are, and the not so common ones too, and experience live demonstrations of how these attacks play out.

This presentation aims to arm you with the mindset, tools and resources to minimise the opportunities for attack, and to reduce the fallout when they succeed. From cross-site scripting and session hijacking to brute force and man-in-the-middle attacks, you’re expected to cover all your bases so the bad guys can’t use a single one.

Writing Viruses for Fun, not Profit

Going viral hasn't always been considered good. Whether you're fighting the common cold, or trying to remove the ILOVEYOU computer worm from your corporate file server, two things are certain: your immune system is based on your gut health, and computers have really poor gut health.

Stopping viruses is hard. The main reason for this is that viruses are really clever. They've evolved over time to escape detection. Each previously detected virus allows the next iteration of the virus to become more resilient. The second reason is that your computer's gut health has to fight every virus, whereas each virus just has to find one immuno-compromised system to survive.

Let's work out how viruses hide. How to they sneak past the checkpoints. How they attach themselves to your system. How they fight detection, and removal. We'll look at aspects such as self-replication, cryptographic obfuscation, and touch on methods of delivery and infection.

Now that you're thinking like a virus writer, you can anticipate which areas of your applications need hardening. Just remember, we're doing it for good, not profit :)

This presentation will feature live demos of writing PHP viruses, and infection of willing targets. The theories apply equally to many languages, so an understanding of PHP is not required.