| 10am – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Jayson E. Street referred to in the past as: A “notorious hacker” by FOX25 Boston, “World Class Hacker” by National Geographic Breakthrough Series, a “paunchy hacker” by Rolling Stone Magazine and, as a “Change Agent” by the Director of Counter Intelligence at the Pentagon! He however prefers if people just refer to him simply as a Hacker, Helper & Human. He’s a Simulated Adversary for hire. The author of the “Dissecting the hack: Series” (which is currently required reading at 7 colleges in 4 countries that he knows of). Also the DEF CON Groups Global Ambassador. He’s spoken at conferences & summits in over 50 countries such as DEF CON, Le Hack, GISEC, IT-Defense, SYSCAN and at several other ‘CONs & colleges on a variety of Cyber Security/Hacking subjects. He also was asked to speak at the Pentagon on his revolutionary process of Situational Awareness training. He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc.. on five continents (Only successfully robbing the wrong bank in Lebanon once all others he was supposed to)! *He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far but if they are please note he was proud to be chosen as one of Time’s persons of the year for 2006. |
| Talk synopsis Keynote – Why Mr Rogers was a Hacker |
| Socials https://twitter.com/jaysonstreet https://bsky.app/profile/jaysonstreet.bsky.social https://www.linkedin.com/in/jstreet/ |
| 10:35 am – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Dr Katie Paxton-Fear is an API security expert and Principal API security researcher at harness, in her words: she used to make APls and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy way hackers can exploit APIs and how they get away without a security alert! Dr Katie regularly delivers API security training, security research, to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn API security into something everyone can get. |
| Talk synopsis Bad Vibes, Good job security? The future of security in an Al saturated world Al is now writing millions of lines of code, transforming everything from our travel plans to the very security tools meant to protect us. The irony isn’t lost: are we coding ourselves out of a job? While Al streamlines our lives and powers new security defenses, the question of our professional relevance and how to upskill in the competitive “Al Age” is something all technical folks are grappling with. But all hope is not lost, in a world controlled by machines the interfaces used to communicate with them are becoming a vital piece of technology, no this isn’t a new piece of tech, but it’s certainly wrapped up in hype. It’s a pragmatic roadmap to futureproofing your expertise and resume in an Al-saturated world. |
| Socials https://twitter.com/InsiderPhD https://bsky.app/profile/insider.phd https://www.linkedin.com/in/katiepf/ |
| 10:35 am – Track 2 (Tweed Room – Second Floor) |
 |
| Bio Qais is an Information Security Consultant and Researcher with an MSc from the University of Birmingham. He has worked on securing various mobile financial applications against low-level attacks, monitoring them in the wild, and conducting threat hunting activities. His experience also includes low-level security research on embedded devices, with published work in top-tier journals and conferences. Additionally, Qais has been involved in deploying SIEM solutions for financial institutions to help them meet regulatory compliance requirements |
| Talk synopsis Beneath the Surface: Mobile Apps Security Challenges Mobile applications have become a prime target for attackers and scammers, driven by the rapid growth of mobile banking, digital payments and financial transactions through mobile applications. At the same time, mobile applications are becoming increasingly complex and tricky to protect. In this talk, we will be exploring the often unspoken challenges that can be faced in the journey of securing mobile applications, we will discuss real world issues faced by developers and security teams, such as balancing user experience with security, and adapting to the fast paced changes in mobile threats. Attendees will gain practical insights into why securing mobile apps is uniquely difficult and what can be done to reduce the effects of these challenges. |
| Socials https://x.com/qaistemeiza https://bsky.app/profile/qaist.bsky.social https://www.linkedin.com/in/qaistemeiza/ |
| 10:35 am – 101 Track (Denim Room – Second Floor) |
 |
| Bio Jennifer is a curious and driven hobby-collector from Scotland who graduated last year and currently works as an analyst. You may have previously seen her analysing horror movies in the context of cybersecurity, or talking about using deep learning to aid in the identification of polymorphic malware. When she’s not working, Jennifer loves reading, embroidery, crochet, horror movies, and whatever else she can get her hands on. |
| Talk synopsis Dark Web for Dummies For a lot of people, their impression and knowledge of the dark web probably begins and ends with “cesspit of evil”. While this is most likely fair, there are a myriad of different sites and services that are mandatory reading for understanding the dark web and how it relates to our world of cybersecurity. What sites do threat actors use to chat to each other? What’s the difference between an escrow dark web marketplace and an autoshop dark web marketplace? And why haven’t law enforcement just shut the whole thing down already? Get ready for a whirlwind introduction to the dark web, including marketplaces, forums, and just how these sites all keep ticking over. |
| Socials https://www.linkedin.com/in/jenniferhollandcyber/ |
| 11:20 am – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Name: Arohi Naik Title & Company: Security Engineer, SQR Arohi Naik is a Security Engineer at SQR and brings both technical depth and a human-focused lens to her work. With a Master’s in Cybersecurity and experience across threat intelligence, incident response, risk management, and GRC, she is passionate about creating security solutions that are not just effective, but also inclusive and user-aware. A committed advocate for gender equity in tech and a vocal feminist, she works to elevate diverse voices and drive meaningful change in the cybersecurity space. With a lens grounded in empathy and inclusion, Arohi examines how behaviour, psychology, and culture intersect with the security landscape. Whether she’s building threat models or speaking on stage, she brings clarity, and a mission to make security safer, smarter, and more accessible for everyone. |
| Talk synopsis Femtech and Data Privacy: What’s at Stake? Femtech apps are changing the way millions of women track their reproductive health, offering tools for period tracking, fertility planning, and sexual wellness. But beneath these friendly and helpful interfaces lies a complex and often opaque system of data practices. This talk explores the privacy concerns surrounding femtech apps, examining how they collect, store, and at times misuse deeply personal health information. It begins with the 2021 Flo app controversy, where the company was found to be sharing sensitive user data with third parties despite claiming to protect user privacy. This case highlights broader risks associated with period trackers and similar apps. Many of these tools operate outside the scope of medical device regulation and exploit loopholes in data governance, while positioning themselves as harmless lifestyle products. From a cybersecurity standpoint, the talk examines technical vulnerabilities and regulatory blind spots that make femtech uniquely exposed. It argues for a new kind of threat model; one that accounts for the specific sensitivity of reproductive health data, the gendered risks, and the increasing political implications. Drawing on recent research and real-world examples, the session advocates for a privacy-first approach, discussing concepts like decentralized data storage, end-to-end encryption, GDPR rights, and the urgent need for more robust regulation. As reproductive health data becomes increasingly politicized and monetized, this talk challenges complacency, invites critical conversation, and calls for design and policy changes that return control of intimate data to the user. |
| Socials http://www.linkedin.com/in/arohi-naik |
| 11:20 am – Track 2 (Tweed Room – Second Floor) |
 |
| Bio Pratik Shrestha is a PhD student at the University of Exeter, where his research focuses on defending against cache-level microarchitectural attacks like Prime+Prune+Probe. As Academic Director of the Exeter Cybersecurity Society, he organizes hands-on workshops, speaker events, and campus-wide CTF competitions to boost practical security skills. Before starting his doctorate, Pratik worked as a Research Assistant developing intrusion-detection systems for IoT-based smart homes at the University of Ottawa. He holds an ISO 27001:2022 Lead Auditor certification and has over two years of teaching experience in the department of Ethical Hacking and Cybersecurity. Pratik is an outdoor enthusiast who love mountains and adventurous trekking, and he is climbing a 6,119m mountain in Nepal late this year. Wish him luck. |
| Talk synopsis Side-Channel Attacks via CPU Caches: Methods and Mitigations In this talk, I’ll explain how modern CPUs share cache memory between programs and users, and why that sharing can leak secret data through tiny timing differences. We’ll look at three main attacks; Flush+Reload, Evict+Reload, and Prime+Prune+Probe and see how each one measures cache hits and misses to recover sensitive information like cryptographic keys. I’ll show why a defense that stops one attack often doesn’t stop the next, and how attackers adapt their methods to get around simple fixes. Finally, we’ll go over practical defenses like partitioning the cache, adding randomness to accesses, or combining both. By the end, you’ll have a clear, hands-on view of cache side-channel attacks and the current strategies from researchers around the world to defend against them. |
| Socials https://www.linkedin.com/in/pratik-shresth/ |
| 11:20 am – 101 Track (Denim Room – Second Floor) |
 |
| Bio Name: Liam McGrath Company: Senior Penetration Tester, KPMG |
| Talk synopsis Rage Against the Machine(s) – An Intro to Operational Technology (OT) Hacking Discussing the importance of pentesting OT, the common issues and major challenges we face when taking in these engagements. Includes a case study from fieldwork done in 2 factories in South Africa where we were able to successfully take over a factory’s assembly line and robotic arms. |
| Socials https://www.linkedin.com/in/liammcgrathdigital |
| 11:20 am (after Liam) – 101 Track (Denim Room – Second Floor) |
 |
| Bio Rahul Balaji is a cybersecurity professional and software engineer with an MSc in Advanced Computer Science, specializing in computer security from the University of Manchester. With hands-on experience in formal verification, vulnerability assessment, and secure software development, Rahul has contributed to projects ranging from static analysis tools for Python code to penetration testing and SOC operations. His academic and practical background includes ISO 27001-based risk management, security policy drafting, and is skilled in tools like Python, C++, and Splunk. Passionate about bridging development and security, Rahul advocates for integrating formal verification into software deployment pipelines to prevent critical vulnerabilities. He is eager to apply his expertise to challenging roles in cybersecurity and secure software engineering. |
| Talk synopsis Look twice before you run. (A talk on why you must make your company’s DEV team formally verify their shiny new feature before deployment.) In modern software development, security vulnerabilities often arise from common programming malpractices, such as hardcoded credentials, insufficient input sanitization, and unsafe memory handling. While functional testing is widely adopted to ensure an app works, verification of secure coding practices is often overlooked. This gap can lead to critical risks including buffer overflows, SQL injection, and inadvertent exposure of sensitive information, which can be extremely dangerous in high value programs, like in blockchain contracts or safety critical systems. This presentation will emphasize the importance of incorporating formal verification tools into the software testing pipeline to proactively detect and prevent such vulnerabilities before deploying them to your servers. The talk will begin by reviewing a notable security incident caused by programming malpractice that could have been avoided through the use of formal verification techniques. Following this, a survey of existing verification tools will be provided, covering solutions suitable for a broad range of applications—from verifying Python programs to rigorously analyzing smart contracts on blockchain platforms. Through practical demonstrations, including annotated screenshots of tool outputs applied to real smart contracts, attendees will gain insight into how these tools function and their role in enforcing coding standards aligned with industry best practices. The session will also discuss the integration of these tools within development workflows to enhance code quality and security assurance. By the conclusion of the talk, attendees will appreciate the critical role formal verification plays in mitigating security risks and will be equipped to advocate for its inclusion as a standard practice within their own organizations’ deployment processes. |
| Socials https://www.linkedin.com/in/haru02/ https://github.com/haru-02 |
| 11:55 am – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Chicago-based and proudly a natural creature of winter, I thrive on snow, OSS, and just the right amount of chaos. Whether sipping Grand Mayan Extra Añejo or warding off cyber threats with a mix of honeypots, magic spells, and a very opinionated flamingo named Sasha (the BSidesChicago.org mascot), I keep things interesting. Honeypots and refrigerators rank among my favorite things—though my neighbors would likely disagree. |
| Talk synopsis Confound and Delay: Honeypot Chronicles from the Digital Battlefield What happens when you scatter digital breadcrumbs across the globe and wait for the curious—or the careless—to bite? Welcome to the world of global honeypots, where deception is an art form and every unexpected connection tells a story. From snowy servers in Ukraine to decoy dashboards in Tokyo, this talk dives into the weird, wonderful, and sometimes laugh-out-loud encounters that unfold when attackers walk straight into the trap. Less about setup, more about the surprises, you’ll hear real stories of what happens when threat actors think no one’s watching… but someone definitely is. |
| Socials https://bsky.app/profile/rnbwkat.bsky.social https://mastodon.social/@rnbwkat@infosec.exchange |
| 11:55 am – Track 2 (Tweed Room – Second Floor) |
 |
| Bio Name: Will Hunt Title/Company: Co-Founder of In.security Will (@Stealthsploit) has been in infosec for over 15 years, co-founded In.security in 2018 and as a pentester has helped secure many organisations through technical security services and training. Will’s a Black Hat trainer and has taught and spoken at several global conferences and events, as well as helping run Password Village at DEFCON. Will also assists the UK government in various technical, educational and advisory capacities. Before Will was a security consultant he was an experienced digital forensics consultant and trainer. |
| Talk synopsis Plundering and pillaging password and passphrase plains for profit In this talk we’ll look beyond the basics of cracking and arm you with further attacks when you feel you’re out of options. We’ll look at multiple paths for cracking delimited passphrases and review when you’d want to use these attacks and why. Target-specific markov tables will be shown to illustrate how you could be missing out on elusive plains without even realising it, as well as getting the best bang for your buck out of your rule-based attacks by identifying non-efficient operations. Then, after looking at foreign language, transliterated attacks and hash shucking, we’ll wrap up by introducing a tool to help you automate the initial heavy lifting of your attack cycles. |
| Socials https://x.com/Stealthsploit https://www.linkedin.com/in/will-hunt/ |
| 11:55 am – 101 Track (Denim Room – Second Floor) |
 |
| Bio Japheth Effah is an emerging cybersecurity professional who believes in learning by doing and occasionally breaking things in a safe lab environment. I hold an MSc in Information and Cyber Security and have a background in teaching, research, and IT support. I am passionate about making cybersecurity approachable, especially for beginners navigating the transition from theory to practice. My recent work focuses on vulnerability management using Tenable Nessus, with remediation strategies grounded in DISA STIGs. I enjoy sharing not just what works, but also what didn’t (and why clicking “Scan All” at midnight is usually a bad idea). When am not scanning virtual machines, I enjoy contributing to the infosec community by sharing my opinions on the happenings in the cyber space, researching, and continuously learning. This is my first BSides talk and I hope to enjoy every moment. |
| Talk synopsis Getting Started with Vulnerability Management: Lab Lessons Using STIGs, NIST & Real-World Scans Vulnerability management is one of the most critical domains in cybersecurity. For beginners, it can be overwhelming to move beyond theory and start working with real scanning tools and security frameworks. This talk shares how I tackled that challenge by building a hands-on lab and using it to understand how to identify, prioritise, and fix vulnerabilities using industry-aligned practices. Over the past year, I developed a personal lab environment using Azure virtual machines, where I simulated various system misconfigurations and software vulnerabilities. I used Tenable Nessus to scan these systems, generating real vulnerability reports that reflected many of the issues organisations face in production environments. This talk will walk through how those scans work, what kinds of findings to expect, and most importantly, how to make sense of them. To go beyond raw scan data, I turned to security configuration baselines like the DISA STIGs (Security Technical Implementation Guides) and NIST 800-53. These frameworks helped me interpret findings in the context of compliance and secure configuration, allowing me to translate vulnerability scores into meaningful remediation actions. I’ll share examples of how I applied these guidelines to tighten access controls, disable insecure services, and fix common misconfigurations flagged during scans. While the tools are important, the real value comes from understanding how to prioritise vulnerabilities based on impact and exploitability. I’ll briefly discuss how I approached triage, deciding what to fix first, what to monitor, and how to validate that my fixes worked. This includes aligning technical steps with security policies and compliance benchmarks. This talk is designed for beginners, students, and career changers who are curious about vulnerability management but unsure where to start. Attendees will walk away with: • A clear understanding of what vulnerability management is and why it matters • How frameworks like DISA STIG and NIST 800-53 can guide remediation efforts • Lessons learned from a beginner’s perspective, including mistakes, surprises, and small wins. |
| Socials www.linkedin.com/in/japheth-effah |
| 12:40 pm – Track 2 (Tweed Room – Second Floor) |
 |
| Bio |
| Talk synopsis Do scanners suck? I have the receipts Modern DevSecOps is an alphabet soup of silver bullets promising to find more vulnerabilities than competitors… But, if you ask any pentester, they’ll tell you that tools are only any good at finding low-hanging fruit. Are testers just unwilling to concede that scanners are coming to take their jobs? What counts as a low-hanging fruit vulnerability? Are some tools better than others? It took a university partnership, 600+ hours of dedicated research, and the launch of an open-source framework (the first of it’s kind), but we finally have answers. This talk provides you with a first look at the research, and marks the official launch of the AppSec Detection Framework, where we’ve taken the 180+ CWEs that map to OWASP-Top-10 vulnerabilities and published exactly how well popular tools perform at identifying them under different conditions. This is a talk aimed at anyone interested in understanding the tool landscape in 2025, finding out what scanners are great at, what they’re still sh*t at, and where there’s still some room for improvement. It’s also an open invitation to anyone interested in contributing to the research, getting involved, and adding their favourite testing tools to the dataset. Let’s cut through the noise, vendor bias, and marketing metrics, and actually do something to move the needle of AppSec scanner capabilities. |
| Socials https://x.com/0x4A757A https://www.linkedin.com/in/thomasjballin |
| 13:30 pm – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio James is a Chartered Security Professional and now runs one of the oldest (and smallest) technology and security companies in the world (as far as he knows anyway). He regularly provides understandable comment on complex issues on national media, and puts most of his success down to a selection of colourful shirts, a collection of hats, and a tendency to speak before thinking. |
| Talk synopsis The Sound of Secrets We talk a lot about security, about encryption, and even about compression. But what does that mean? This talk is an opportunity to take part in a live, untested experiment. I’ll be sonifying data — turning information into sound at 300 baud — and discovering if we can hear the difference between plain text, compression, encryption, and a combination. Do secrets sound different? How audible is compression? Along the way you’ll come to understand Kolmogorov complexity, Shannon entropy, and why compression and encryption make such a terrible mix. If nothing else, you might walk away with a brand new understanding of what information is. |
| Socials https://x.com/coffee_fueled https://bsky.app/profile/coffeefueled.org https://linkedin.com/in/jbore linktr.ee/coffeefueled |
| 13:30 pm – 101 Track (Denim Room – Second Floor) |
 |
| Bio Anicet Fopa Tchoffo returns to BSides Leeds, bringing insights from his role as a Security Consultant at the University of Leeds where he’s helped secure everything from innovative Nuclear and Covid research to vital Environmental studies and the University’s critical High-Performance Computing (HPC) deployments. His experience bridges offensive and defensive security, with a strong focus on practical threat detection, incident response, security architecture, and purple teaming. This time, Anicet will unpack the power of operational honeypots, demonstrating how they can dramatically improve your organization’s ability to detect and respond to internal threats. Outside of work, you’ll often find him attempting to navigate a snowboard (valiantly trying not to injure himself or others), pretending he still has the stamina of a pro footballer (for about 15 minutes), or enjoying a less-taxing game of badminton. Find him on LinkedIn: https://www.linkedin.com/in/anicet-tchoffo/ |
| Talk synopsis Beyond Research – Deploying Operational Honeypots for High-Fidelity Threat Detection and Intelligence Modern cyber threats increasingly bypass traditional perimeter defenses, making the detection of internal reconnaissance, lateral movement, and sophisticated targeted attacks a significant challenge for security teams. While often associated with research, operational honeypots offer a powerful, yet frequently underutilized, capability within an active defense strategy. These strategically deployed decoy systems act as lures for attackers, providing unique advantages: generating high-fidelity alerts with minimal false positives upon interaction, and capturing context-specific threat intelligence directly relevant to the targeted organization’s environment. This presentation moves beyond theoretical applications to explore the practical deployment of honeypots for tangible security improvements in production networks. Attendees will leave this session with actionable knowledge on effectively operationalizing honeypots, covering key considerations such as selecting appropriate tools (focusing on open-source), designing believable decoys, implementing crucial hardening and isolation techniques to mitigate risks, and establishing effective monitoring and alerting. Drawing on real-world scenarios and best practices, this session will demystify honeypot deployment, address common pitfalls, and demonstrate how to integrate these powerful deception tools into a robust, layered security strategy, exploring how carefully placed decoys can provide high-fidelity alerts for lateral movement, credential abuse, malware activity, and even threats targeting specialized environments like ICS/OT networks. |
| Socials https://www.linkedin.com/in/anicet-tchoffo/ |
| 14:05 pm – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Andrea has been working in information security for the past 10 years and for most of that was the only security person in the public sector organisation where she worked. More recently, she has been working in the private sector, supporting teams of developers mostly working in the data, analytics and artificial intelligence/ML space. As part of her role, Andrea maintains the organisation’s threat modelling tool and has seen great results from applying threat modelling early, meaning there are no nasty surprises when the final product is tested. Over the past 12 months she has threat modelled a dozen new architectures for a large migration from one cloud provider to another. |
| Talk synopsis Striding out to prevent misconfigurations Let’s be real — “threat modelling” sounds fancy, like the sort of thing that involves flowcharts, frameworks, and someone insisting you need to ‘shift left’. However, most of the time it’s just asking whether you’ve accidentally left your cloud hanging out in the breeze … yet again! This talk brings threat modelling back down to earth. Andrea will walk you through how it’s often less about predicting cyber doom, and more about spotting that someone’s enabled public access or forgotten to enable encryption… again. She will show you how you can perform valuable threat modelling when you don’t have an army of red teamers, blue teamers, penetration testers and developers at your disposal to give their opinion on what could go wrong. She’ll also take a quick spin through a tool that might just help you catch those “oops” moments before they become incidents. Expect practical takeaways and valuable tips on how to help your developers build their infrastructure securely. After all, the most effective security posture is just not leaving the door wide open in the first place. |
| Socials https://x.com/allaboutclait |
| 14:05 pm – Track 2 (Tweed Room – Second Floor) |
 |
| Bio Senior Developer at Talos360 | Microsoft MVP | O’Reilly Author I’ve been working as a .NET developer for over 16 years now in a variety of industries including government, retail and manufacturing. But I’ve been hacking around with computer code since I was old enough to read my Dad’s copy of the ZX Spectrum BASIC coders manual. I’ve been speaking about Functional C# at various user groups and conferences around the UK, USA, Europe and Australia and am particularly interested in seeing just how far we can push C# without breaking it. In 2023 I released my first technical book: “Functional Programming with C#”, published by O’Reilly Media. When I’m not coding, or running after my two small children, I have been known to enjoy the classic series of Doctor Who, Fighting Fantasy Gamebooks, Cryptic Crosswords, and rather more coffee than is probably good for me. |
| Talk synopsis Hack the Planet! What Movies can Teach Us about InfoSec The movie industry is over 100 years now, older even than the computing industry in many ways! It’s seen just about every form of computer technology come and go over its long history, and often has something to say about it. Sometimes profound, but often ridiculous. In this talk, we’re going to look over the last 100 years of cinema history, to see what it has to say on the subject of InfoSec, Hacking and other security topics. On our cinematic odyssey, we’ll be looking at topics such as: * How the dinosaur incident in Jurassic Park could have been easily avoided with a few simple changes * What is the most accurate hacking movie? * Who was the first hacker depicted in cinema? The answer might shock you! * A 90s cyber-thriller that clearly doesn’t understand the difference between websites and executables * How baddies throughout cinema history could have been unbeatable with good password policies Grab a bucket of popcorn, and let’s dive on in! |
| Socials https://www.linkedin.com/in/simon-painter-45a05217/ https://bsky.app/profile/simonpainter.bsky.social |
| 14:05 pm – 101 Track (Denim Room – Second Floor) |
 |
| Bio I am an Information Security Consultant at Pentest, where I primarily work as a pen tester – securing the applications and infrastructure of our diverse range of clients. I specialise in web app testing of cloud-native, multi-tenant SaaS platforms. I have worked in infosec for over 20 years, for consultancies, in-house teams, and a webapp security tool vendor. I love sharing my knowledge, which includes delivering Secure Code Workshops as part of my role at Pentest, and also drove the development of XSSy. Other than working I enjoy running, cycling and meditation. |
| Talk synopsis Building an XSS Playground While XSS is often simple, some variants require sophisticated techniques to exploit. Having the skills to exploit these tricky scenarios can be the difference between a good pen tester and a great pen tester. I built XSSy as an open lab platform to teach XSS skills from novice to expert, and to crowdsource solutions to challenging scenarios. This talk will cover how to use XSSy to build your skills and how to create labs to collaborate on techniques. It will also describe some of the challenges of creating a realistic training environment, and how XSSy has been designed to address those challenges. |
| Socials https://x.com/paulpaj |
| 14:40 pm – Track 1 (Herringbone Suite – First Floor) |
 |
| Bio Ana is a Cyber Security student who happens to also be disabled. She is very passionate about educating others in the cyber security field especially when it comes to the accessibility of information and how that looks from an EDI perspective. Ana has been working on various projects around cyber security including looking at policies and seeing how they can be made more accessible for everyone but especially for those with disabilities with the BSides conferences being a part of that. Ana’s main focus this year has been on ISO 27000 and how the framework can be improved to better represent emerging threats as well as the bigger need for EDI in the cyber world. |
| Talk synopsis Password Hell – Accessibility challenges in Cyber Security In the cyber security world there are many challenges faced by numerous different people. One of those groups are those who are disabled, there is 16.1 million people (24% of the population) in the UK who are considered disabled and yet they are rarely taken into account when new policies are being made. I want to bring to light this issue specifically when it comes to passwords, for able bodied people they are already a pain but for those of us who are disabled they are a nightmare and even new technologies like MFA can be more of a burden than they set out to be. I’m proposing some solutions to this like the wonderful world of password managers and even physical storage for passwords and shining light on some outdated views like the dreaded password expiry that in fact only makes accounts less secure. Now, you may wonder who am I to be speaking on such a sensitive topic, I am a Cyber Security student from Manchester Metropolitan University and I have been disabled since the age of 4. I have seen first hand the struggles that those with different disabilities to me face and I also have first hand experience with some of those struggles. My intention is to hopefully get you all thinking about how you can make your workplace more accessible and implementing some ideas to make everyone’s life easier but especially for those who already struggle. |
| Socials https://www.linkedin.com/in/ana-maia-cs |
| 14:40 pm – Track 2 (Tweed Room – Second Floor) |
 |
| Bio |
| Talk synopsis BrakRPi: Crashing Bluetooth communications on Raspberry Pi using Braktooth In August 2021, a group of researchers discovered series of vulnerabilities in commercial Bluetooth stacks ranging from DDoS to Arbitrary Code Execution and tested smartphones, laptops and smart devices that use vulnerable SoCs. I was able to add contribution to the research independently by successfully reproducing the vulnerability on Raspberry Pi via disconnecting the device from the remote target Bluetooth speaker. This talk will cover the story behind it. I will describe the steps I did to reproduce the vulnerability on Raspberry Pi, how Braktooth is able to disrupt the connection on a technical level by taking the example of vulnerability used in my research, and why fixing it is not as trivial as it may seem. |
| Socials https://www.linkedin.com/in/ilias-akhmedov |
| 14:40 pm – |