National and international experts informed 400+ participants during this one day security event. On 29 June 2017, Madison
Gurkha organised this unique event for the fifteenth time: a special anniversary edition.
KEYNOTE: Brigadier General Hans Folmer, Commandant General of
the Dutch Cyber Command (DCC) slides will follow soon
Closing ceremony by Dirk Jan van den Heuvel
Drinks / Information market
KEYNOTE by Bill Cheswick
Bill Cheswick (Ches) joined us from the U.S. to provide a keynote for this special edition. Ches is known for his early work in Internet security, including firewalls, proxies, and as co-author on the first full book on firewalls.
He is also noted for his work in visualizations, especially Internet maps, which have been (re)published widely.
"I am throwing together lots of thoughts, experiences, and predictions into a new talk." Topics may include ancient data, old data, data analysis, leaky data, vast data, fake data, tagged data, public data, lucrative data,
personal data, protecting data, long term data, and anonymous data.
Brigadier General Hans Folmer, Commandant General of
the Dutch Armed Forces Cyber Command (DCC) gave
a keynote speech at the end of the program on June 29th 2017.
The DCC contributes to military operations with cyber
capabilities in order to realise freedom of manoeuvre in
the information environment.
During his keynote he explained what this means.
"The Future is False Positive" by Hans de Zwart, Executive Director Bits of Freedom
The future will indeed be false positive. In this talk he discused the following three things:
1. Look at some worrying (and occasionally wryly funny) recent examples of false positives: a person with Parkinson's disease suspected of being a bus bomber,
a police officer identified as a burglar and a black person classified as a gorilla. Examples like these can be interpreted as "weak signals" of a
future that will likely be riddled with wrong judgments and spurious accusations.
2. Identify some of the causes of this problem: fear as a motivator for policy making, our changing attitude towards risk and, most importantly,
a drastic increase in the number of decisions made by machine learning algorithms.
3. Explore a few of the practical strategies that we could implement in trying to decrease the number of false positives
and minimise their damage.
Madison Gurkha had an extensive interview with Hans de Zwart in anticipation of his presentation. Click here to read it! (in Dutch only)
"New Sheriffs in town…" by John Fokker, Digital Team Coordinator at the Dutch National High Tech Crime Unit (NHTCU)
John Fokker works as a Digital Team Coordinator at the National High Tech Crime Unit (NHTCU), the Dutch federal police unit dedicated to investigating advanced forms of national and international cybercrime. He is a project leader for the NoMoreRansom initiative, a public-private project founded by the NHTCU, Europol’s European
Cybercrime Center, Kaspersky Lab and Intel Security, to disrupt cybercriminals spreading ransomware and to aid victims of ransomware.
In this talk John gave some interesting details about this project.
How did the No More Ransom initiative start and grew from a one-hit wonder to a global movement to fight Ransomware. Check out www.nomoreransom.org.
"Plan to Throw the First One Away" by Meredith L. Patterson
In The Mythical Man-Month, Fred Brooks famously advised, "The management question, therefore, is not whether to build a
pilot system and throw it away. You will do that. Hence, plan to throw one away; you will, anyhow." His advice
sparked the evolution of rapid prototyping and agile development. Even so, especially in the web era, companies still find themselves taking
hacked-together prototypes into production -- and having to re-engineer at great cost later, especially once security flaws rear their heads.
What would happen if people really did plan to throw the first one away?
We decided to find out, and built our development budget, hiring plans, schedule, and architecture around Brooks' advice. Does prototyping by any means necessary, then reimplementing from scratch in
functional languages according to language-theoretic security principles reduce technical debt and lead to more reliable software? The participants now already know!
"Physical Pentesting" by Walter Belgers, Principal Security Consultant Madison Gurkha
In this lecture, Walter Belgers, explained some techniques and tricks to get past doors and locks with the ultimate
goals of getting physical access to your IT infrastructure. If an attacker can just walk in to your computer room, access to the data that is on
your systems becomes dead easy. IT people normally do not have to deal with physical security as that is another departments' responsibility. The attendees of this talk are now hopefully be able to detect physical flaws to get them fixed.
"The ethics of privacy" by Rachel Marbus, Privacy Officer KPN N.V.
In working with data, we want to comply with the law. We consider the processing of personal information. This is supposed to be done
in accordance with the rules in the Personal Data Protection Act (and soon, with the General Data Protection Regulation). In doing this, we are really
only considering the micro level of privacy; data protection. The macro level is the constitutional right - "Everyone has the right to protection of his/her private life" - which also provides protection for values like autonomy and freedom. These values become more important as we process more data, from more
sources, with more resources. It becomes truly big.
Are we still seeing The Bigger Picture? Rachel Marbus took a close look at the ethics of privacy. What if an application of big data is permitted
by law, but not really right?
25 years before the Edward Snowden revelations, in 1988, Scottish investigative
journalist Duncan Campbell uncovered and reported the world's first mass
surveillance system targetting international communications - covername ECHELON.
At every step of technical change in data transmission and processing, from
the long secret invention of the world's first computer, and even soon after
Marconi deployed his invention, government intruders into privatecommunications
have been in to help themselves - deeper, wider, and faster than historians have
ever recorded, or than most people could have believed.
Technologists have hoped that technical solutions, especially cryptography,
might by now have become the means to normalise previous experiences of security
and privacy.But is it now "game over"? Can better understanding, transparency,
and regulation help?
"Losing Yourself in a Cloud of Things" by Michael Kubiaczyk, Principal Security Consultant Madison Gurkha
The "Internet of Things" is growing and we can't stop it. We've barely seen the tip of the iceberg
when it comes to Internet-enabled devices which make us ask: "What is this ridiculous nonsense?" As the security-unconscious
masses buy into the promise of personalized everything, everywhere, identity management will become even more important - for devices as
well as their attached human peripherals. Michael presented a few future use-cases and draw parallels with existing technological solutions.
"Hack for Safety - TIBER & MGs RED teaming Approach" by Rogier Besemer, Program manager TIBER at De Nederlandsche Bank & Ralph Moonen, Technical Director Madison Gurkha
TIBER (Threat Intelligence Based Ethical Red teaming) tests the cyber resilience of the Dutch
core financial institutions against advanced attackers. It aims to improve the cyber resilience of the participants.
TIBER builds on previous experiences by the Bank of England (CBEST). Key to the program are: Threat intelligence,
emulate the best attackers and collaboratively learn from the findings. Rogier presented the TIBER background, goal and the expected results.
What makes a Red Teaming exercise truly worthwhile? Ralph presented his point of view and share his experiences in recent projects.
Several topics have been highlighted, including social engineering, threat intel uses and pitfalls.
Hands-on hacking workshop Raspberry Pi
Always wanted to gain insight in the approaches a hacker will use to retrieve your passwords?
Even from a locked computer? During this workshop we showed the particpants how a Raspberry Pi can be used to receive passwords,
install backdoors, siphon data and monitor network traffic. In various scenario's we guided the participants through the setup and possibilities of a
Raspberry Pi as an attack platform.
Time: morning session 10.30 – 12:30 and afternoon session 13:30 – 15:30
Please note! Hands-on hacking workshops are very popular and the number of participants is limited.
Are you on the waiting list? We are looking at possibilities for organizing the workshop later this year. We will keep you up to date.
PGP Key Signing Party
During this year's BHS edition we also organised a PGP Key Signing Party.
PGP is a popular method to provide end-to-end encryption for email communication. The PGP public key infrastructure relies on a web-of-trust where
users are validated by other users. A key signing party is a get-together of people who use the PGP encryption
system with the purpose of allowing those people to sign each other's keys, thereby strengthening the web of trust.
This session was intended for experienced PGP users and will not be an introduction on how to use or configure PGP.
In fact, computers are not even used during a PGP Key Signing.