Security BSides Athens 2025 Live Stream
Show transcript [en]
[Music]
Okay.
Yeah. Yeah.
[Music] There you go. White. [Music]
[Music] Tick tock. [Music]
[Music] Yeah. [Music] [Music]
So, check them out. [Music] time. [Music]
[Music]
Heat. [Music] Heat. [Music] Heat.
Heat. [Music] Yeah. [Music]
[Music] Heat.
[Music]
Heat. Heat. [Music]
Good morning. Good luck. Amen.
[Music]
3.
Okay. [Music]
second.
[Music]
[Music] Stay
[Music] together. Let's [Music] go.
Heat. Heat.
[Music] Heat. Heat. [Music] Heat. Heat.
[Music] Heat. Heat.
[Music]
[Music]
[Music]
Okay. [Music] Heat. Heat. [Music]
You have to stop.
[Music] Heat. Heat.
[Music] [Music]
Heat. Heat.
helping the cake. Yeah. Uh-huh.
[Music]
[Music]
[Music] you know. Heat.
Heat. [Music]
Heat. Heat.
[Music] Yeah. Heat.
Heat. Heat.
Want
[Music] to
[Music] Thank you so much.
[Music]
Stay there.
Heat. Heat.
Heat. Heat.
[Music]
I did that. [Music] Yeah.
Heat.
[Music] Yeah.
Heat.
Heat. Heat.
Heat. Heat. [Music]
[Music]
Heat. Heat.
[Music] open.
[Music]
Heat.
Heat.
Heat. Heat. [Music]
Let's go.
[Music]
[Music] Heat. Heat.
[Music] [Music] Go.
[Music]
[Music] Stop.
There we go. Heat. Heat.
[Music]
Look at that.
[Music] There you go.
[Music] afterwards.
Heat. Heat.
Heat. Heat.
Heat. Heat. Heat. [Music]
Heat. [Music] Heat. [Music] [Music]
Good luck. Heat. Heat.
[Music]
There we go.
Heat. Heat.
Heat. Heat. Heat. [Music]
eliminate.
[Music]
Heat. Heat.
[Music]
This one
is back. Heat. Heat.
there.
[Music] Thank you guys. Heat. Heat.
Christmas. [Music]
Heat.
Heat.
[Music]
What are you doing? Heat. Heat. [Music] People
[Music]
Thank you.
[Music]
Okay. Okay. Hold that.
[Music]
[Music]
office. [Music] I want to know.
[Music]
[Music]
I love you. Heat. Heat. [Music]
Yeah. Heat. [Music]
Yeah. Heat.
Heat.
[Music] Heat.
Heat. Heat. [Music]
Hey.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
How long?
Heat. Heat.
Heat. Heat.
Heat.
Heat.
[Music]
supposed
to All right. Come on.
Heat. Heat.
Thank you.
Heat. Heat.
Heat. Heat.
[Music] Heat.
Heat.
Heat. Heat.
Heat. Heat.
Heat. [Music]
Heat.
Yeah. Heat.
Heat.
Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat.
Heat.
Heat.
Heat.
Heat. Heat.
Hey,
heat.
Hey heat. Heat. Heat.
[Music] Heat. Heat.
Heat. Heat.
Yeah. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat.
Heat.
Everybody nice. Yeah.
You're not
Heat. Heat.
Yeah. Heat.
Heat. Heat.
Heat. Heat.
Yeah. Heat.
Heat.
Heat.
Heat. Heat.
Heat. Heat.
[Music] Heat. Heat.
Heat. Heat.
Heat. Heat.
We never
Heat.
Heat.
Heat. Heat.
Yeah.
Heat.
Heat. Heat.
Heat. Heat.
Heat.
Heat.
Heat. Heat.
Heat. Heat.
Yeah. Heat.
Heat. Heat.
Heat.
[Applause] Heat.
The bottom went down.
Awesome.
[Music]
Goodbye. We'll
see what happens.
The first
That's where you go, man.
anything. What's that? Please [Applause]
get one. [Music] Yeah. [Music]
Hallelujah.
[Music] Hallelujah. [Music]
Hallelujah. [Music] Heat. Heat. [Music]
[Music]
[Music]
Come on. Still [Music]
[Music]
in my background.
[Music] Heat. Heat.
Heat. Heat.
[Music] Heat. Heat.
Nice.
[Music]
[Music] Hold
up. Hold up.
Heat. Heat.
Heat. Heat. [Music]
Heat. Heat.
Heat. Heat.
[Music]
[Music]
Well, uh, Folks, just All right, folks. Just to give you a heads up that the conference will be kicking off in about 10 minutes from now. Just to let you uh know that that is about to get started here for Besides Athens 2025 and really looking forward to it. And be sure to follow along with us on the podcast today. I'm Dave Lewis and I'll be joined by Ulana. And yeah, it's going to be uh quite an adventure today. So, we will be back in about well nine minutes now. See you then.
I couldn't hear the mic.
Should be really close. Yeah, this is always the best.
[Music]
[Applause] Heat. Heat. Heat. Heat.
[Music]
Heat. Heat.
Heat.
Heat. [Music] Heat. Heat.
[Music]
Heat. Heat. [Music]
[Music] [Music] Heat. Heat. Heat. [Music]
Heat.
Heat. Heat.
[Music]
[Music]
Hey,
hey hey. Heat. Heat. [Music] Heat. [Music] Heat.
don't feel so down. Everybody show me love change down in the 30 trees up for play now in the hood in the latest me
on my mind got a million feeling my ready to go what need to come out. So come give me money. What you need to come out give me. You're not good. Can't you see me? I'm in love. Oh, she's only looking to me. Only love break. Only loveise. Heat. Heat.
Heat. Heat. N.
My soul, my show brought me the door. They bought me all my fancy things, my cars, my clothes, my shoes on me. But I came and I ain't changing. You should look way more than your head. Oh, you mad. I thought that you be happy. I made it. I'm the cat by the to the good life. Move out the hood. How you trying to pull me back when my dog get the me smashing with the 45 minutes just let it talking about money homie I ain't deserve I'm tell this up in the money we can head with money what you need to make me up in the club what you need to boss give me
[Music] brother in love to brea to me only love breaks a heart loveise she's only looking to me no don't care don't Heat. Heat. Heat.
[Music]
This is not of a test. This is your emergency broadcast system announcing the commencement of the annual purge sanctioned by the security besides Athens governing body. Cyber weapons of class 4.2 and lower have been authorized for use during the purge. All other cyber weapons of mass disruption are restricted. Conference and CTF officials have been granted immunity from the purge and shall not be engaged. Commencing at the siren, any and all cyber warfare activities, including a activation for complete target takeover by exploiting remote code execution zeroday vulnerabilities will be acceptable for the next 12 hours. E-rime units, sea searchs, certs, and DFIR services will be unavailable until the allocated time frame is completed when this cyber purge concludes.
A huge thanks to those bad practices that make these attack scenarios possible across the globe approved by impostor cyber leads, snake oil services, and severe lack of cyber due diligence practices. This is Security Besides Athens 2025, the Purge edition. May the odds be always in your favor.
concludes.
[Music] They can't do this. [Music]
[Music]
What? What?
[Music]
[Music] Ah, ah. [Music] Welcome to security besides Athens 2025, our 10th year anniversary running this conference. This year's conference is themed as the purge edition. We are here to purge all bad practices and learn to defend against impossible situations by being well prepared. commit to a future-looking mindset for achieving cyber resiliency. Join me in thanking the whole security besides Athens team for putting together a communitypowered conference bringing together security professionals from all over the world. A huge thanks goes to all speakers, sponsors, volunteers, our special guests, our keynote speaker, and all of you for making this event a successful event. The day is full of knowledge, activities, learning outcomes, networking opportunities, and much much more.
There is a live podcast being broadcasted on our YouTube channel where speakers, sponsors, and special guests will have the opportunity to communicate their message reaching the broader infosc community across Greece and beyond country borders. Subscribe now to our YouTube channel and let everyone who is not able to be here physically to join the live stream. Be ready. We might interview any of you during the day for the live podcast. Last but not least, our deep appreciation and thanks to the University of West Attica for being ahead of the curve, trusting us and hosting this world famous event for a second year. The University of West Attica has taken very important steps towards designing and delivering courses
in cyber security that are already ahead of the curve. Join our extended team. Volunteer and help us organize the next conference. Talk to us and bring your expertise and talents into the security besides Athens team. We want you to support, participate volunteer present and above all have fun. Take the time to visit our sponsors. Talk to them. Understand what they do, how they do it, and why not seize the opportunity to plan an interview. A huge thank you to Thread Scene for supporting the community and going above and beyond in becoming the diamond sponsor for this year's conference. Please join me in a round of applause for Threat Scene for making this event a reality, breaking all expectation we had
originally.
May the odds be always in your favor. Hack the planet. Let the purge commence.
Heat. Heat. [Music]
[Music]
finally let us out of our cages. And this is pretty awesome. We are kicking off here at Bides Athens. I'm Dave Lewis and I'm here with Ulana Seiko, not Seyo. I got it right this time. And uh yeah, so good morning everyone and welcome. We are a community event celebrating 10 years here at Bside Besides Athens. And apparently I am so tired that I'm tripping over my tongue. Juliana, welcome. And I understand that you are originally from somewhere local to where we are right now. Oh yeah. Close to the Balkan region from Albania. There you go. And I got to witness a uh Greece versus Albania t scrap this morning. It was really fun. Welcome to
the Balkans, Dave. There you go. Well, we have 35 talks today. We got hardware hacking, we got hands-on workshops, quantum computing, and all the things. So, if you want to check out the speakers that we have today, please check on the website. And uh what kind of updates we got there? Got some drones, some hardware hacking, all that sort of fun stuff. It is going to be a very fun day. And uh it looks like we are kicking things off on the main stage with some housekeeping items.
And I'm just seeing myself on video here. And I look like an unmade bed. This is like wonderful. Say hi to the camera. Hello camera. It says it says that the camera adds 10 lbs. I just lost 30 lbs and now I'm looking on the camera and I look like I gained 400. This is just Yeah, they're getting my double chin. Not happy about that, but we we'll survive. Well, see that's why I grew a beard then. I it that was my one way to hide mine. Very strategic. I have I have nothing that I can do there. Well, back in Canada, you know, it gets really cold, so I had to use some sort of face covering. Also
gave me some growth in my life. Built-in scarf could be helpful in Chicago. Yes. Yes. That's where the snow goes sideways. All right. And we're giving some shout outs to the sponsors.
[Music] So they can't hear us. So they can't hear us. They're coming. We are showing outside. You are speaking normally. Oh, okay. So apparently we're doing a voice over for while they're on stage right now. So we're giving a shout out to our sponsors right now. couldn't do it without them. Yeah. Well, that is absolutely true. So, we have uh in our bronze sponsors, we have the cyber security challenge, Greece, and Vizio, Nexi. What are the other two there? Besides Chicago. Nice. I recognize the flamingo from anywhere. And Cyber Flip. Well, thank you very much for y'all. And look at the next sponsor there. There you go. We have our very own Canadian one password is sponsoring the
afterparty and hopefully we'll get that all sorted out before the day is out. Uh what else we have? Silver sponsors of ProNet and Performance and I missed the slide with the gold sponsors. That's not good on my part. And special thanks to our CTF partner Hack Box and supporting partner OASP. Can you tell we have not rehearsed this yet? We have a lot of community partners though. Oh my, that is I'm not even going to try. Go ahead. Lots of local besides Cyprus, besides Tana, besides Chicago tiny for me to understand, but we have the Hellenic ISC squared or ISC or however they're calling it these days. My apologies, I don't remember. and the university and wow that is a lot of past
sponsors as well. Thank you all to them for making this the event that it has turned into being uh 10 years. Wow. Absolutely fantastic.
Yeah. Being part of bides really interesting. it it the one thing people have to understand this is a communitydriven event and it is not possible without the interaction of the volunteers and getting people in the community to be part of this. This is an event for you by you. So if you get the chance to chip in at wherever you are there are bides literally around the world. If you check out uh the bides website um securitybides.org I believe it is the exact URL. That'd be good. Uh now speaking of community, we have our core organizers are up on the screen right now. Dr. Greg Threscos, organizer, Jessica Russo Olga Nikos Ditri, Deites, double triple. We got
three Ditri. No waiting. All right. Well, would this event is actually, you know, not possible without all of the amazing volunteers and the fact that they let and I be able to voice over this and ramble all day is quite a nice touch as well. We love doing this. I mean, we came all the way from the US. Well, you from Chicago. Sorry. Let me clarify that for you, Dave. I came from Canada. They don't claim us. And a shout out to our volunteers and our extended team for making all the magic happen behind the scenes and our local team here at the podcast room who I'm sure are going to be sick of us
by the time the day is over. I'm just going to throw in some Greek jokes and they'll they'll be happy again. And thank you to all the viewers that are uh tuning in to have a look here. Uh really glad you could be with us today. We see you.
Yeah. If you just click on that attachment that says document.doc.exe, we'll be off to the races. Kidding. Don't ever do that.
So, how many times have you been to Bides Athens? B signs Athens. I think this is my third or fourth time being here and I was really fortunate to be here for the second uh Bigns Athens in 2017 where they were either nice enough or diluted enough to let me be the opening keynote. I haven't really decided there, but it was just a fantastic opportunity. And uh this is this event has changed locations a few times over the years, which makes sense because it's now, you know, over a thousand attendees. And it's just absolutely fantastic to see, you know, these community events really turning into quite literally the mainstream because I remember when I first started
doing Bides, like I was at the first Bides Las Vegas and uh co-founded Bides Toronto and back then it was a few people in a bar or something like that that got together and shared information and now you have events around the world that are literally thousands of attendees and it's really quite fantastic to be able to see the growth both of this and how they are in a lot of cases dwarfing the mainstream commercial events now and uh I find that really quite something great idea starts at start at a bar there's a lot of that yes in one bank that I used to work for we had all these uh network designs designed on napkins from the local bar
that was a block away from the building I wish I was joking but we really did an actual network design actual That was a Yep. You could see the ring where the pint was sitting right on it. It's like, okay. All right. Is that a challenge coin? That is. Yeah. For the first 50 people that signed up, that was designed by Demetrius Cyrus and Carrie Lander. Pretty nice looking. Beautiful. And the first attendees on site get an RFID block card. I just used the plate in my head, but that's okay. I'm kidding. They haven't put that in yet. If you're watching, just take a screenshot. That is your personal challenge coin.
I don't even know what that is. A limited edition PAP protocol, Ethereum based. A QR code. All right. I'm not even sure what that is, but if you're watching the live feed, you'll see that come up in just a minute. bit of a delay between the slides and uh the voice. So I don't know if our voice is actually coming across out of sync or in sync with the slides. So that'd be an interesting question. Well, look at the next slide. Oh, there we are. We are live on the air. Catfishing out here. Oh dear. We'll let the audience be the judge of that. Exactly. Yes. except they can't really quite see from this angle. It's
funny that picture from 2019 and I still use it. Mine is also a little outdated. The best was I actually saw somebody had shared a picture on I think it was LinkedIn of themselves and I know that person and I also know that the picture they shared was at least 25 years old. Uh when I first joined my team, one of the oldest members, he still keeps his first picture from when he started 20 20 or 30 years ago at the company. And of course, I got tricked. It It's quite something. Yeah, I saw a lot of people in their badge, they have that OG picture when they started and it's like maybe you want to update that because
you know as you're going through security, yes, there's all the electronic aspect, but if somebody physically challenges you, you're like, "Yeah, that's not you." Yeah, it was once. All right. Really cool thing, too, is we have a soldering workshop here on site and people will be able to uh try their hand at uh a little bit of hardware hacking and a drone center. With all the various types of kinetic warfare events that we're seeing today, this has really come to the forefront in conversation about drone technology. And uh if you're familiar with Miko Hippen, he was with F-Secure for many many years and he has now actually gone off to join a company doing drone technology. So
very cool, really cool stuff there. There's also a book exchange. And also the opening keynote today will be Craig Jones and uh looking forward to that.
All right. And now Craig Jones is taking to the stage with his talk. Craig's scrapbook, the early years. I don't think is that his actual title? Conventional yet unconventional law enforcement career. And of course, his first slide is completely throwing me for a loop.
Well, I definitely haven't started my B size journey like you, Dave, but only been around 2 years in the community attending Bides events all over Europe and the US. And I'm ready to get schooled and take some notes from all these amazing presenters today and you as well, which you are presenting later today. Oh, yeah. That's right. They they gave me a broom closet to go hide in. Be modest. That's part of being Canadian. I wonder where our audience is from. Would love to see in the chat. Yeah. If uh people want to jump into the chat there and uh ask some questions or what have you or let us know where you're coming in from, that would be pretty
cool.
You're welcome to type in Greek as well. We'll we'll translate it. Yeah. Well, is on point there. I can say important stuff. [Music] Oh, yes. Of course. That's usually at 3:00 a.m. or it was many years ago. What is this? [Music]
Must be really difficult to be in law enforcement these days when dealing with cyber security, especially when you take into account all of the different technologies that are being pulled into the mix, artificial intelligence and what have you. that really is making it not only easier for organizations to better protect themselves, but for attackers to be able to, you know, increase their abilities as well. Um, and then of course there's the, you know, various companies out there that claim to be using AI and it's like, oh no, that's just a bash script. Thanks for coming out. How long did we go till we said AI finally? Well, we knew Oh my goodness. Good job. If the booth is
being invaded. Oh, wow. Special guest. Hello. All right, the purge has begun. Uh, I volunteer as tribute. That is a wonderful team. I don't think I've seen that one yet. Very beautiful design work. Shout out to everyone who has worked on that. Yeah, that's quite something. I'm excited to wear the shirt later. I have to actually get my hands on my uh my shirt as well. I haven't actually picked up any of my stuff yet. You should do a giveaway. Do you do those? I don't. Uh when I first started in radio, I actually did a giveaway because every other radio show at the station I was at, we were getting concert tickets and things to give away and nobody gave me
anything. So, I went out and bought a canned ham and I gave away a canned ham on the air and it was so popular that I actually had the most people call in out of any radio show ever to that point in time. So, I got hauled into the manager's office and I thought I was going to get in trouble and they just couldn't even keep a straight face. They just started laughing.
Make back.
language and if they didn't I was in trouble because I had so we had to do that broadcast out communications room we receive so that's how we used to communicate and then we had technicians which would maintain the equipment so there's a very clear division there between an operator and a technician in 199 with the police. My role there police small town.
Um so I went out the streets and I walked in the community and I protected the community. The role of law enforcement is the protection of property and the prevention of crime. So very clear difference there. property and prevention came afterwards. So that protect piece came out and with the theme we have here as well building to the network of systems that we have and the prevention piece um you know where are we now I would suggest in that world we'll come on to that in a little bit so 1990 we would sit at a prayer room we'd be open the book we would read messages and job attended because the bottom right hand corner off. We had Pam doing
telees. So she would call us up on the radio. We go to our jobs. No mobile phones, no email, no effect. And then it all started changing. So at that point then emails came in mobile phones in those sort of things. Um but what we realized was criminals were starting to adopt the technology and they were adopting it very very quickly. We were quite as quickly because we're public servants and it cost a lot of money and we didn't quite foresee all the opportunities that it was going to afford criminals but also the opportunities for law enforcement until about 1995 when I was involved in Bruce inquiry a massive inquiry into a very famous Liverpool footballer and they talked
about getting throwing matches and things like that and we took mobile phones My job was to mobile phones. So started to pull the data out and it really was I taught myself as I went along. I spoke to mobile phone operators. I said okay that brings up that data. Okay. How can I read that message of it? That's where we were about we were dealing with large data sets and then we realized these things here
phenomenal. We could start tracking criminals by their mobile phones and this was at the time we were going to share it. You know no one's going to know about this technology ever. No one's going to say can't share it. How well we were. So fast forward A few more years we started having the the digital forensics side we know that side digital forensics and forensic world we be overwhelmed by that data set we were getting in we were then looking at cyber crime increasing as well so fraud those sort of attacks and what we did in the UK was we set up regional time so these specialist units have specialist capabilities because we realized we
didn't have the capabilities within each individual force 43 in the UK effectively. So we started set up capabilities and the one I joined was Southeast regional crime unit which was covering four sort of areas here and I was doing digital forensics and forensics and then we had a national cyber report come out and what we had to do then was effectively develop a cyber capability blank piece of paper go and create a cyber team effectively. So how would you cyber team when you haven't created one before. So we looked around at best practice. We looked around at how we investigated crime effectively. And then I went and spoke to this man was a really good hacker. Cal basically
was a criminal and cow was a criminal and he got into the hacking side of things because he was computers. his family had no money and he didn't provide for him. There are other reasons as well, but I went and met railway station, spent three hours talking about how he did what he did and how he thought we could catch cyber criminals. We then had at the moment in about 2014 where we set up a national security center and I know a lot of countries are going through this process about who's in charge whose role is it to protect the nation effectively important government is the private sector but we all know now it's all of us don't we
need very clear rules and boundaries and policies about who did what effectively. So within my cyber team, I set up investigators, analysts researchers digital forensics, research and analysis. And our job then was to investigate the high volume, sorry, high impact cyber crimes were impacting the UK at that time. I'll just take you through a couple of them. Liz squad 2014. over Christmas um so many Christmas ruin as well as many other parents because there were lots of complaints going on then about how could we stop this type of attack that was impacting the whole of the UK okay it's upsetting lot Christmases but the lizard squad group got together but what they realized by doing that was they could make some
money so from that they got offered some money to stop the attack effectively
was a children's game company, global game company. Um 2015 they got hacked. If your passwords happen in 1 2 3 4 you are leaving yourself wide open. The very next man got into their systems was shocked by what you saw. He actually encrypted it two data centers one in one in Germany. We were asked by lawyers to investigate it. From a law enforcement point of view, it's very strange when you're looking at your victims. You have a lawyer phone say I'm acting on behalf of the client. We then had two days of negotiations with the lawyers about the information that they had. Effect what they've done, they've done a full analysis, recovery, and identification. They done all our work for us and they
presented us the case and the quality of that case was something my team couldn't have done at that moment in time. It then allow us to go as an individual which we did against but a person great in the back of the UK um data is not property. So from the law enforcement point of view, we had abuse act to charge that person. Um the powers of community act were not as strong as the act. And what we were trying to do at the time was to bring our legislation up to date, which I wouldn't say is still correct in the UK. I'm sure other countries as well, but when you try and identify what crimes have been
committed, it's coming back to that um protection of crime. Our role as law enforcement is to protect And one of the ways to do that is take away and take him through the court process. He went through the law process. He admitted what he done was totally incorrect and the judge felt sorry for him and he got discharge. He promised again 18 months later this time. But one of the changes for us was this man here in the hacked in the US and he started getting messages through on his home computer and on his TV and his wife was very upset by this. So the full weight of the US judiciary went after the hackers.
Again, that's what they've done. It was for too much. That's why they did it. But when you're stood outside someone's house in 4:00 in the morning on the phone, US agency and they're saying, "Right, go through the door now. You'll be able to catch him. We went through the door. they did query um they sort of saying you know why we don't do that but the interesting part about all of these jobs was how we worked and who we worked with so we were part of European time UK a lot of our work for law enforcement was done through meetings at the um and we were sharing information there has been uploaded there. But really when it worked best is when we
had a case conference and we got the case officers together. So it comes back to some of the best communication is when you're sat with people talk about cases the squad attack when we talk about there was a from 2015 we were speaking about people and we realized Kimmy and others the meetings we wouldn't know this unless we had that face to face meeting enough Kimmy was arrested and sentenced last year 10 years after his first for a large scale attack in Finland nowhere. So he's still at it effectively but the model worked quite well between policing from local to regional to national to to international effectively but then this was a big change for us in
the UK attack. So Friday afternoon I was driving down to this place on the southwest coast north. Lots of meetings going on recognize Marcus. So strange Marcus was sat house over here in my dad's house sorting out and I was coming out my house over here. So these little small connections. It's funny how things come together. But what happened for we raced around the country? No. Totally the wrong thing. We weren't funed to do it. we didn't have the resources to do it effectively. So as part of that then we did a sort of branch review of how we did things and I joined the national crime agency. So that's like my main agency and my role
there was to do the prepare for UK law enforcement. So a budget of about 55 million pounds per year and that was to law enforcement to help upill capacity. We're also looking at a moment in time about leaving Europe. So all the nice blue people here, you all the year, it's all wonderful. We play nice together. We work really hard. We get great results. We decided to leave in the UK. So we had to look about what our other options were. So we need intermedational
policing organization. It has 196 member countries. Within every country of those 196 you have a national central bureau. This is how we connect into pole. This is how we connect peace globally. I wasn't really aware for Newton pole up until I got to national. We'd always worked through our different contact. We'd always worked with our trusted countries. But the simplicity and the beauty of Interpol was it's a neutral organization. It can only deal in crime. So Interpol has a constitution for Nazis countries. Part of our role was you can only deal in crime. So anything political, military, racist, religious, you can't touch. So when you overlay cyber against this, you have an interesting sort of piece there
because cyber historically is linked to state nation states tax actors agencies those sort of things so within the program then that I led so I went in as the director of cyber crime um in in Singapore was just there's office and my role then was to advise a global program so gone from the 1999 405 Craig Jones organ machine to running a glo cyber crime program. So anybody here is a program or project manager, you know, you have to have your objectives. So on was simple is to reduce global impact of cyber crime and protect communities for a safer world. So keeping that piece of theme within it. So every conversation, every meeting, how do we start at that
point what we devised out to the program was prevention detection investigation disruption. So how do we prevent, how do we detect, how do we investigate, how do we disrupt effectively? and we bought in the world. So not just law enforcement, we bought in the private sector as well. So the data sets that we got from the private sector are phenomenal. But it had to follow our rules of processing data. So if there's any lawyers in the room, I'm sorry, but my life is made very very hard by lawyers in Inter but actually for the right reasons because we have the privacy side of this as well. So as part of the program then we signed out different um responsibilities
regions. We had the Africa desk, we had the Americas, we had Europe, we had um central Europe and then we had a and the rest rest of the action countries. And our role there was to bring in law enforcement officials, train them, and have them work directly in their own countries. But rather than just train, we always did it with an operational focus. So we ensure they have the capabilities when you're when you're working in Africa and you're trying to communicate with a police officer in Africa or in Nigeria it's on a Gmail address. How do we know he is who we said he is? So again we develop the tools and platforms come on through the
interop channel so they can verify he's a police officer through the national central Europe in each country and then we engage in the secure platforms to share intelligence and data as well. So what we do then is we coordinate facilitated operations with the private sector. You notice some of the private sector companies name on the bottom here and 14 sponsors are one of the involved private sector companies. So they provide um data sets to us as well. But that's where we get the data from. We then coordinate the activities in each country. And you know this is a very recent job but prior to 2019 we were doing more trainings within the team I had, just to give you
a bit of a flavor, I had an assistant director from the US, assistant director from China, an assistant director from um Brazil and South Korea. I had someone from the Iranian cyber police within my team effectively. So, it really was an international team that we had there. It was made up of officials such as me and contract staff as well. And again coming back to the role of the program but during that time as well what happened was um at the UN they started the negotiation 202021 um a proposal was put forward from Russia around having international convention on cyber crime. Now see this award.
There we go. So during this process then there was negotiated the international crime convention which was for law enforcement. It led it leads to the word. So this now leads to a common language to law enforcement to work to effectively. It's been negotiated. It's been agreed. now need to go out to all countries to be ratified effectively.
So last year I decided to uh hang up my boots from a national crime agency, sit in front of a fire and retire effectively. Um but after 40 years I couldn't do that. So I came out retirement very quickly. Um I'm now on the board for global form of cyber expertise. Um globally I' advised companies as well as senior associate fellow at Lucy. This is not a plug for any more employment, but this is about a career can change many different ways as you go through it effectively. Like everybody here, I'm a volunteer. I've come here, you pay for my ticket, things like this because you are the really important people in this room here.
There's a number of you here that are doing your training at the moment. You're going through your education, through your qualifications. But these are the people that I want to protect. This is my mom. She was 90 last week. She used to be a Ren, so there's a name fee. My mom's not connected to the internet. Well, she is sort of, but she's never logged on or anything like that. My mom has been a victim of cyber crime or attempt on multiple occasions. There was a data breach 18 months ago in the UK. Um, the water agency, her local water agency, we put her down as a vulnerable old age because she has a few health
issues. She lives on her own. on that data breach. They could see that her phone number was on there. She was getting up to 15 phone calls a day from people trying to scam her. So, where we are now is we are now looking at international scam centers. I won't click on the link to this, but there's a lot of work going on at the moment. 2019 Africa, our regional heads meeting, we had someone talking about if they'd gone into a house, there' be about 20 people in there in Nigeria. Didn't quite know what to do with it. Sat in front of lot of computers. Fast forward to where we are now. We're seeing highly organized
crime groups operating around the world impacting our communities, people like Liz. When we look at the cost of cyber security and we look at the rising impact of cyber crime and the cost there, we're talking trillions effectively. So from a law enforcement point of view, our role is to create communities to protect communities. This is what all of you are going to do or are doing now coal. Our role here is to make the world safer effectively and we all play our part there in some small way. So we don't have any pre preset question.
Go time.
All right. Are we live? Oh, yep. We are back on the air. I'm Dave Lewis and I'm Odana Seo and we are back here at Bides Athens 2025 and really excited for the opportunity to be here. Um it's really an amazing experience for the people that are here on site to be able to actually, you know, be right in front of the speakers and hear all the information firsthand. And I mean it it's it's great if you're online. Uh if you can get here today in person, that would probably be an amazing idea because the amount of people here is really quite staggering. Like even in the lobby, just the people milling about and sharing conversations
and drinking all the coffee. It is uh quite something to see that interaction. Yeah. But most importantly, the chance to network with so many practitioners and people that um I mean we we took a flight all the way from the other part of the world just to come here. So definitely recommend every chance you get to go to a local besides and attend in person. The tickets are usually very reasonable in price and that's the truth of it too. It's it's invaluable compared uh or the the interaction rather you get with people in your industry to be able to you know have these conversations firsthand is invaluable is where I was going with that and yeah it it it's just
not to be missed because when I got started in this industry I remember early on I think one of my very first conferences was Defcon 7 and I still talk to some of those people to this very day and it is really amazing how Back then we were all, you know, repbates with shaved heads or green hair and now here we are all in various uh large roles in industry. It it's it's just amazing to see how that has really evolved and uh a little later on today we are going to be having uh conversations with folks and uh being able to have some people come in here and talk about well their talks. Yeah,
you get a chance to get a sneak peek um for a lot of our speakers that are going to go later today. Um and then we'll we'll talk to some speakers after their talk um as well. And it's really amazing too that one of the first things that uh I heard when I got here was I got a uh a message from uh one of the attendees. Uh the name's escaping me at the moment, but he said, "Welcome to the really hot Athens, and it's uh full-on 32 degrees C today, but when I left Canada to come here, it was 42 Celsius." So, this is actually a nice cool weather for me, and I can't believe I can actually say that
out loud. I can't say the same. It's still hot. Well, yeah, like the Chicago area can be I'll listen, I'll take it over the snow and the wind of Chicago. No complaints. Well, that's fair because that's one of the very few places in the world where I saw snow going sideways and uh Me too along with the snow. Well, exactly. Yes, the wind will pick up something fierce. But um yeah, Chicago is definitely not without its character. That's to be sure. So, we have uh we're just waiting on our speakers to come in and have a conversation with us. If you have any questions, uh, feel free to drop them in the chat and we'll see if we can respond
to them. U, some of the, uh, questions that have been asked, uh, we we can't do much with that particular, uh, audio level at this moment, but, uh, feel free to follow along and, uh, or, you know, conversely, if there's a chance you can make it over here today, please, uh, go for it.
All right, we have uh some folks joining us in the studio. Yeah.
Oh they're all right. Okay. Welcome, guys. Um so we are going to kick it off with our first speakers. um your presentation called sore not they can't hear us replace we're going to talk about uh our first presenters here sore not sore um and uh do you want to tell us quick uh overview about your talk what should we be expecting about what story say again uh what should be expecting from your talk today give us a little sneak peek yeah what's the highlight reel what are you going to be talking about today yeah so going to First of all, uh thanks for the invitation. I'm Argie and we have Stam here. I'm going to talk about uh
automation. Uh to be honest, today's presentation is the the volume two of another uh presentation we had in besides 2020 sore not v1. So we now we're extending the the strictly security automation to a more general perspective. So we're using a technology called sore about general orchestration uh regarding on top of security ITSM compliance AI human to machine etc. Now with Sore, do you look at this as a way as augmenting the security team or do you look at this as a way to obiate parts of the security team? Because one of the conversations that I see happening a lot is about AI replacing people in industry. And I've seen a couple of companies go, we made a giant
mistake laying people off, we need to have backend. Do you see soar as a way to improve or 1x the staff to they can, you know, be able to concentrate on the things that matter? Yeah, practically this is uh the common thinking about uh you know when everyone thinks about the source he thinks about uh a complimentary system uh accompanying the the CM and augmenting let's say some analysts and stuff like that but uh in today's presentation we're going to demonstrate some things about uh what you can do with sore without let's say bringing the factor of integrating it with a CM or with a soft team uh in order to augment an analyst but instead
use it in order to perform hectic tasks like things that take a lot of time again and again and again again and things that you can automate using the shore and orchestrate it uh through uh our platform. We we are still pro people so I still remember back in the day if we wanted to automate anything it was a bash script so that was a long time ago. Um what can people like what is the big takeaway that you want people to you know learn from your talk today? What from all from your talk today? Yeah. What is that one thing you hope people take away and internalize? I mean uh the ow to u the ot to the to my sins the
hectic as Tom said the hectic stuff because inevitably if you're doing repetitive hectic stuff in your life you got bored you'll prone to mistakes and inevitably you look for something else so they need to create some I mean we're seeing sore uh as a way to create more quality time for yourself is more is more of a generic comment not just strictly to, you know, to it and information security, but this is, you know, it is what it is. So, use it as a supplemental is what I'm doing. So, I get that from the title, sore, not sore, because yes, I I remember back when the world was flat when I first got into security. The sore part was really a
part of it. Everything you had to do was hand cranking. So, you know, being able to have automation now to improve things is absolutely a fantastic aspect of things. Um what is your favorite piece of this automation piece beyond you know taking away the mundane you know what do you see as a value ad proposition for enterprises in general. Okay so first of all uh we're going to talk about an enterprise solution but for this specific uh use case because we're also talking about uh we're having let's say uh people from the community here. We're going to utilize the community vision of the solution uh in our demo and uh we're going to show and present uh uh the
amount of uh out ofthe-box automation and playbooks that already exist within the solution. Currently we use and we leverage something like more than 850 ready connectors in order to be used for various solutions and products within the uh that are being used by enterprises daily. And uh we're going to show them how easy it is to onboard a source solution into an enterprise and uh practically as said how we can start having in mind the automation part in order to avoid having mistakes automating hectic tasks and bring up more quality time for uh engineers and in general staff in enterprise. It's funny too because I remember getting starting out in this industry um I learned the best lessons from the
mistakes I made but you know taking those mistakes away in this instance is actually a hugely beneficial thing because it it really is helping organizations to you know obiate the ability to have catastrophic failures. Um yeah no I I really appreciate you both stopping by today. really uh this is quite an o awesome opportunity and it's really amazing that you're actually here as part of this community effort because besides Athens I mean this is the 10th year this is quite a uh a watershed moment for you know most conferences don't usually get this far so it's really good that you're here contributing and being part of the community and this community edition will be released today you say I heard
that earlier hey it's practically there is already um a community edition there perpetual trial solution of the product itself that uh anyone can use it, anyone can deploy it. There is a uh already documentation in our site in our website about the solution. The thing is there are not a lot of people that they you know they know about. So we need to make aware that okay we are fortunate we're global you know we're a top-notch cyber security company but still we contribute we're open we're very open uh even as an enterprise vendor and we have a flavor that uh you know is really uh you know free for the community. So very cool. So, um, yeah, make sure I
mean if you are checking out the talk, it'll be in track two today to be able to ask them about this as well as get the I'm sure the URL will be in the slides as well for the community. Yeah. Yeah. Yeah. Sure. Edits will be coming. Yes. Yeah. Attract two, we present with our long gear. So, yes, it will be in 10 minutes or in 5 minutes from now. That works out. Okay. Um, any parting last shots before we wrap things up here today? uh just uh I mean from my end we're still even with sore and uh we'll try to keep it without many referrals to machine learning and AI just to make it you know because it's
the two buzzwords I oh yes I struggled a bit about uh we're still prone to mistakes because you said that the learning you know the learning curve and the learning experience is a journey that you make mistakes as my psychology said with no I mean yeah with sore will will uh will allow people to make new mistakes, not the repetitive ones that I've been doing for the last 1015 years. You and me both. Nothing like running with scissors. Yeah. His psychologist has a PhD in cyber security. Well, thank you so much for being on today. We really appreciate you stopping by and good luck with your talk today. Thank you very much. Cheers. Cheerio.
All right. Anything not to get sore. My headphones are dead. Oh, okay. So, we have When do we have our next speaker coming up? Should be coming up. It's Open Sesame, the API defenders, a superhero's quest for digital justice.
Yeah, they're they're dead.
Oh, that now I got it now. Yeah, now it's working.
Yeah. So, no, I just uh I just wanted you to say something so I could see if it was working. Well, if we are still on the air, I had a timer going there. Yeah. So that was seven minutes. Okay. And then the next one we should Where where is the next one?
All right, we are back on the air. This is uh adventures like uh adventures in podcasting. All right, we have our next guest is joining us here in the studio. Hello everyone. Hello. And it's an honor. It's an honor being here guys. Welcome. Welcome. Do you want to do a quick introduction for us? I'm Venezuelis. I am a singer contesttor at Enviso and today is going to be for me at least a quite interesting day. How is that? Yeah, we here we have a talk about API hacking, source code review, compliance guidelines, uh SDLC, everything everything related. Today we're going to talk hack and have fun. And where does the social the digital justice part can
you talk to us a little bit about that? It it was about the the compliance part. It was everything related to compliance.
Okay. Okay. So, when you say compliance, what what should our viewers and our audience, what are uh what's a key takeaway they should uh get from your talk today? Uh hopefully, I don't know if they're really going to take that uh that info home. uh hopefully they'll learn how to perform some basic tests on APIs and how to hack them and also how to write better code and most important more secure code because okay we have all read some book or have done some training about how to write code or read multiple books about C and paradigms but what about security Yeah. And and that's the real problem too because a lot of these APIs are exposed to the
internet and not fully documented as well or sometimes overdocumented. Fair play. Fair play. So which you think is worse, undocumented or overly documented? As a hacker, I love having my documentation. I really love having my Postman collections, my Excel files, everything. uh but in a bug bounty perspective I also think that if the documentation should be public and the API should be publicly available okay give the documentation publicly if the API is private or only in a subscription or you have to pay something the documentation has to remain private when when you're doing um is pen testing part of your role as well so when you're doing pentesting what do you find is the likelihood success on a percentage
basis. Say you're going up against a client site for the first time. What do you think? Where would you categorize that as the likelihood you're getting in? Well, that's an interesting question because that's one of those things is like I I remember back when the world was flat, I used to do some pen testing and there were some sites I just couldn't get into and other sites I could get into very easily and there was never that clear delineation as is it going to be successful or not. And I I somebody that does this for a living, I'd figured you probably have more of a benchmark. Uh if I had to put a specific percentage for the apps part only like
APIs, web apps, fact clients, mobile applications, etc. Uh it would be something like I don't know 75 80%. There's always like a 20% where you basically can do anything. there are no access control issues or the application is way too flat, way too static. So who to test there? Yeah, start getting demand. Yeah, there's sometimes the code is such that you just can run over it and it falls down and that's unfortunate too. Um, and when you're getting, you know, the attendees to listen to this and look at ways to better improve security. Um do you you talked about from writing better code. Do you have any key takeaways that you would share right now
with the audiences? What do you think they should do first? Tiny spoiler for the for the talk. Always break everything into functions. Everything everything must be a separate function. I am a guy who is always like okay uh I have to do this this and this. I'm going to write this amount of functions. End of story. I'm not going to overengineer a single function or do a ton of stuff together or via one endpoint create a huge function. No, I'm going to call multiple and it's going to be fun. The simplest advice is always the best, right? And back in my coding days, that's what we were taught. Break everything into functions. Very cool. Thank you so much for being here with us
today. Really appreciate it. Good luck with your talk. And thanks a lot. It's it's an honor. It's an honor being here. I mean, this is the beauty of community, you know, getting everybody together to share these stories with, you know, a thousand of your closest friends. And I I'm sure you're going to have a great time on stage today. Thanks. Thank you. Cheers. Have a good one. Byebye.
And welcome back. We are here with our next speaker. Uh we actually have a huge sponsor for Besides Athens. Here with us, Thread Scene. We have Chris. Chris, do you want to do a quick introduction for us? Uh I I can hear you. Yeah, we can hear you with the mic. a quick introduction for us. Yeah, sure. Um, I'm uh Christos. Hello. Nice to meet you. I work as a senior penetration tester in threats. Amazing. Yeah. Okay. So, uh, a little bit about thread sync, right? Uh, can you tell us a little what is artificial intelligence today? Um, and how is it related to cyber security? We hear hear that buzzword a lot. Okay. Yeah. Uh,
basically it's uh a super hot uh thing to discuss artificial artificial intelligence. Uh so basically uh today artificial intelligence mimic uh the human behavior uh so well uh different areas. Um so even though it's early uh it's already in our lives in the dayto-day um it's a day-to-day thing. Uh it's it's almost uh trying to uh remove Google from the mid the mid lane and just starting and googling in chat now. Yeah, Google dorks to chat GPT dorks I guess. Yeah, they they are making their own AI and every big player is making their own AI nowadays. So, uh, and and one of the questions that comes up is, can AI hack and is it already being used
for attacks, but I just saw in news a few days ago that there's a major bug bounty program that the number one contributor is actually an AI. Yes, exactly. I I was going to talk about that to be honest. Um, uh, they they are the guys that are making uh this uh they created this AI and they train it with live data. they were trying to do that uh off the record with uh offline data solving CTF challenges and all that kind of stuff. Um specifically they uh they got uh access on a big bug bounty platform as you said and um uh they are trained they trained the bot to uh live data and
right now it's it's the first boundary out there even though what the AI finds out is u not that kind of impact huge impact uh can't replace the tester yet Um but um uh it finds a lot uh it finds a lot more faster the the things that we tester can do. So it's finding a lot of these things faster but is it also finding a lot of noise? So like we see that there it's the number one successful on the that bug bounty platform but how much of that was garbage that was submitted where the they had to filter through and go yeah no this probably 90% probably 90%. So um to be accurate um these guys need to uh
public uh their logs or something. I mean they but uh in a blog probably uh and we wish for that but um uh specifically uh 90% I'm almost certain that 90% of that it's just fing around and submitting things that that they are not even there. Yeah. Can can attackers manipulate defensive AI systems today? Um yes basically they use AI even for attack uh for attacking the AI itself. Uh yeah so basically they are trying to manipulate uh inputs. Um uh it's something like command injection but uh it's called prompt injection. Uh they're trying to manipulate the AI thinking that u um it's uh their admin or they're trying to get um um local files to the
AI or kind of stuff, but um they they're using it to manipulate other AIs basically. So it's the adversarial AI. Yeah. So when we're looking at that and we talk about AIS like what are the likelihood that AIs were going to be finding zero days for example like the DARPA Grand Challenge before Defcon a few years ago they had a bunch of system on stage that were attacking each other and I got to walk behind all of those and some of them were like water cooled. That was rather amazing. But one of them actually did find a zero day in one of the other systems. Now I don't know if we're actually seeing that today with
current systems. Have you seen any evidence of that so far? We do. Uh I don't know if it's good or bad. I I think that the uh the there's a known researcher that used uh actually recently I mean two months ago uh used um an 03 model of chbd. It's the basic model of JPD. Yeah. Uh used it to analyze a non binary called SMB in uh it's a non binary both Linux, Windows and they using it. It's a sum um and uh they he used it to find actually a zero day in that binary and uh used it to uh source code reviewing uh to be honest. Yeah. analyze the binary because it's open source. I gave it to Ch and um it
it's impossible to uh change with a real ABS person or someone who who was writing code for I don't know maybe 20 years or an expert in penetration testing or social code reviewer but um it it can do uh things uh really quickly and when we look at this across the really quickly aspect of things looking at it from a you know aentic AI where you have these systems that are making autonomous decisions on your behalf. I worry about the security of those systems themselves. Like uh have you familiar with Echolak that just came out about a week ago? Echo. Echolak. It was a vulnerability that a research team found by sending an email to a client
and the client opened the email and they could read it like a normal email, but there was hidden text that the uh co-pilot agent read and executed the commands and then deleted those commands. Oh my god. As a past pen tester and you as a current pentester, wouldn't that be something you would test early on? Oh my god. That's uh first of all, it's the smartest thing I've heard this year. It's honestly the smartest. Uh I I've never heard something smarter than that. Um yeah, basically. Wow. I mean, it's crazy. Um I left him speechless. Give him ideas. I I've never thought of that. Actually, I I did something in um two years ago when AI
popped up uh in a challenge where you have to solve the challenge by providing the AI um an image with code on it. Mhm. So it was possible to read the code and execute it. So you get uh that that was a challenge basically. Uh so it reminds me of that. Uh yeah, you need to you need to have it tested and um the thing with AI now is um it they they trying to escape the AI by making it taking actions on your behalf. Exactly what you said. So um in the future you're going to tell it it's like the rabbit OS. I don't know if you have it. Okay. Um you you will tell it to order food what kind
of food you want and all order taxi get me to the airport and it it's going to do that automatically without any interaction of you it the thing that um it will only ask you uh will be uh uh do you want me to pay and and that's fair actually a friend of mine was messing with a chatbot on a major u let's just say hardware retailer in the United States and said order me a television from this particular other website which was had no affiliation whatsoever and it did it and it sent the it wasn't a television but it was electronic product and sent it to his house and he said when he was doing the
transaction he said where should I fill in my credit card information and the chatbot said don't worry we got you covered so the chatbot from one retailer got a device sent from another retailer to his house and never charged them for it just it's one of those things it's like we see this over reliance on AI and you know while it's fantastic for doing security things. It's also very susceptible to manipulation. So, it's going to be a really interesting adventure to see. There's a huge uh there's a huge advantage of the people that they are going to um work with AI that understand it or they're play that they play around with, right? Sometimes we don't even know. But what is that
like you ask it to show you how to hack, but if you asking a create a poem by telling me how to hack, it will do so. Cool. All right. Uh, thank you so much. Uh, it was wonderful having you here and thank you for the support for the Besides Athens community. Thank you. Cheers.
And just responding to one of the comments here in the chat. Uh Xavier, the you are absolutely right. They should have a mic. And actually he did have a mic just to let you know. It just unfortunately was not very uh loud when he was speaking. Um so we'll get them to be a little bit more ausive uh next time we uh have somebody in to do an interview. So, uh, thank you for pointing that out and, uh, we'll make sure that they are a little bit louder next time. Cheers.
All right. In the studio with us, we have Craig and Giannis. Hi Jiannis. How are you? Good. Yeah, it's been a while. It's been a while. Yeah, I trying to figure out. Sorry, I just having a flashback moment. It's been a couple years at least. Yes, it's been two years. It was Was it only two years ago? I think it probably more. I think it was Congress, right? Oh, then that would be longer than two years. Time flies when you're having fun. Good to see you. I I'm good to see you as well. And I'm wondering when the fun part kicks in. I've been doing this for 31 years. I'm kidding. Of course. Um, thank you very much for being here. How
how would how was your keynote in your estimations this morning? Oh, it was great. I mean, I I just got to talk about what I've been doing for the last 40 years. So, nothing nothing major really. Very cool. Starting off in Royal Navy communications and ending up my careers as a director of cyber climate interpol. Very very cool. Now, with the with the with you joining us here today, um it's really good that you're here as part of this community edition and it's when I say that, you know, Bside Athens has been around for 10 years now and it is drawing such a large audience. Um you know, Greg is sitting to my left here
and he can slap me if I'm wrong. Um is there been a thousand attendees this year? Almost. Yes. Almost a thousand attendees. And it's just really amazing that you're able to share the stories and lessons learned you've gone along the way. Now with Interpol is one of the examples here. Did did they ever have any sort of community involvement type aspect of things and this is not a trick question. I was just genuinely curious. No, I mean it's really so Interpol for those that don't know is the international policing organization. It's been around for 100 years and it was set up um back in 1924 and a lot of it was to do about communications. So it
was about where the TX machines were. post first world war how do you communicate and at that moment in time if you have a TX machine in your office you have the power because you were able to communicate so if we were trying to set up into pole today we wouldn't have a catnell's chance to do it so you know it's a neutral organization and it's aimed just at countering crime so it's developed over the years now has a number of crime programs 2015 they started a cyber crime program based out of Singapore and Interol has seen probably is a very western northern world organization Canadian. So what they tried to do and what they
did in Singapore, Singapore said, "Right, we'll stump up the money. We'll build the center." Yeah. And I was based there for 5 years and that is a very impressive centers. The real estate where it is is right in the heart of diplomatic quarter. They maintain it. So there's a real investment from that side. So what Interpol then said is okay, we'll do a global cyber crime program. They based it in Singapore. We also have a counterterrorism one organized immersion crime and during my tenure they set up a financial crimes program as well. Now you could argue and I was one of those maybe did argue a little bit. Why do we set up these in
isolation and this is about the community piece. We set up different communities and we don't always tie them together effectively whether it's in an organization and I think this is where you know Bside works very well. you know, you encourage different sections of community to come together. Yeah. You don't do it at high cost. So, people want to come. You know, Greg tried to get me here last. I couldn't come. So, I was still at Interpol. I'm here now cuz I'm retired. I wanted to come and support the event. I wanted to share my experience, but also listen to the community as well. So, in Interpol's role working with the private sector in particular, we have a gateway program
where we can bring data sets in from the private sector. um has to be done through our rules of processing data. It's very boring, but we have to follow these rules. But in terms of prevention, detection investigation disruption it's the private sector that see what's going on. Law enforcement, we don't. Our uniqueness is we can take away someone's liberty. We can do that disruption piece um quite effectively. But the private sector do that in the case example I gave around VTEC. Um, you know, it was a hack there, a worldwide game gaming company that had lots of children's data and it was an independent DFR response that did that investigation and bought us an evidence pack which,
you know, would stand up the test in court. They had all that information. They identified the person. So, that's how law enforcement has to work more effectively doing on an international level, but delivering it locally effectively and protecting the Exactly. And and that's one of the amazing things too of you know setting up these centers of excellence like in Singapore like Singapore has been on the leading edge of cyber security in a lot of ways and we're seeing a growth in that here in Greece as well. I mean like at this event alone we have what about 74 different countries that are represented at this uh particular event including Canada. Sorry I always have to get the
Canada and New Zealand and oh there you go. [Laughter] um what what do you like to see in the future like as we're like for the example that you use there that was like you know hard work done by investigators and things like that. Do you see and I can't believe I'm actually saying this out loud but do you see artificial intelligence having a role to play in investigations in the future? I mean it already is effectively. Um so when we looked at the private sector and how they're doing it we dress these things up in words don't we? Cyber it was all very confusing. I used to do it in the UK government. I'd write a two-page
report say very confusing don't worry vis you're rejecting your cyber security strategy we can help solve this give us 7.2 2 million I get an extra 113 staff. Um so sometimes we use a language and it people in power and we just had a discussion about this earlier is you don't want to seem to be the stupid one in the room. I'm happy to be the stupid one in the room but Adam said stop. I don't understand what you're saying. So when we talk about AI what does that actually mean in the continent of cyber security? We can see that criminals are using it already and it's early stages but at least we're having that
conversation this time. What we've seen in the cyber journey is it's just grown exponentially in terms of the cost of cyber partners in the trillions. The cyber security industry is increased as well but the gap is widening. So for me, I'm quite excited now on the AI piece is okay, how can we use AI effectively to protect users, end users, because they shouldn't have to be worrying too much about when they're logging on. You know, we should be taking that away from them, the onus on them effectively. So if we're taking the owners away from them, how do we handle it from a governance perspective when you take into account things like Aentic AI and where you have these systems that
are making autonomous decisions on your behalf? What if the data was then poisoned, the model zoos were then corrupted? What are the concerns that we have there? So if I look at the traditional tabletop exercises that you know we all have grown up with now they involve scenarios where people turn up in I don't know a harbor or some other piece of semi-critical or critical infrastructure and they have QR codes that are basically poisoning or using the poisoned model to obiscate the presence therefore not triggering the human element in the video card and that's turn one in what's typically a 20 turn exercise a TTX. Now, I don't know about you guys, but having, you know, done a
number of tabletops, we're not used to that modest operandi. Please note that this year is the year that cyber crime pass the 10 trillion mark, right? So, we're at 10.5 and that's not projected, that's factual. Okay. Sorry, I just got to jump in there because the cynic in me can't help but when I hear numbers like that go, really? Um, how is that number arrived at? So there are a number of Gartner type um measures for indexes of corruption. I know I know completely right. And what happens with cyber crime is they put it up against basically the cost of running Bitcoin wallets, Monero wallets, the cost and please note this is response not recovery, right? So they're not taking
into account the cost to an organization. But how much does it cost criminals to run a telephone center as the one that was in Greg's slidesh? So that total cost ownership is basically coming down a counter point about not a counterpoint. It's like I did my presentation my mom's 90 you know that these are the people I'm talking about big businesses etc. You know the over is on a business to protect its customers. if they got customer data, PI information, you know, they should be protecting it have the character to stick with regulation. So, I'm sort of trying to bring it back to respect of our local communities. How does a small business deal with this? How does my mom
who's 90 deal with this? The the real world impact the scam centers operating now, the sort of the love scams where you know people are actually now committing suicide. Yes. So the real world impact of this is massive and we talk in these facts and these figures and I totally agree with the facts and figures that you're coming up with there because it's really hard for us to get these facts and figures but then we look at the cyber security industry coming up these facts and figures and part of that is that scare factor as well and you probably in the same you've been in those boardrooms after a cyber attack. Yeah. and you you sat down with
the CEO and the team and you see their whole world has basically imploded on them. So there is then an onus you know on that protection side of it as well. But it has become so complicated now. Yes. And trying to cut through all the different layers and making sure that you know that it's a risk. Cyber security is is is a you know we're looking at a risk here. So it's that governance piece. How do we bring that into the boards? I've gone off on many different tangents there. Sorry, but it's there are many different facets to this. So, coming back to the conference here, this is where I see you've got so many different people coming together
and the learning you get from this, the shared coffees, maybe the shared glass of something later on today as well. That's the real real value of these conferences as well and and having that is exactly it. You're knitting together all these different aspects because you know the security vendors by and large are worried about the enterprises. But you're absolutely right. you know, elder abuse is a near real and present danger. Like my uh bricks and mortar bank back in Canada, I went in there and there was a big poster on the wall about things to look out for if you are an elder dealing with things online. And I've seen people go after my mother's email and I read
these things and it's just like absolutely insane. But they're going after the easy targets, the small medium business again, that's another target. I don't know what to say, but sitting in Singapore I was there 5 years, you know, coming back, they punch above their weight in Singapore. really in terms of the resources they have available to them their place and they call it the red dots that's the company they call themselves but they're very significant so they have the azen region that they look after they they are the cyber shepherd in that region but one of the things they came up with was they were looking at the elderly being scammed so they set up a sort of scam center as
well to combat that but as a lot of the elderly people were they just couldn't get cyber security it's it was beyond them and it was really hard. You think, "Oh, no, it's fine. Everybody, you just log on, just do this." No, they they're not going to do that. So, they had a number of different schemes and they looked at the cultural element of this as well. How can we engage effectively because people receiving these texts or emails or phone calls and they did simple things like putting a layer on top said this could be a scam. Yeah. So, you would see that when you picked your phone up or something like that. So, it's these little nudge things that you
can do as well. And that's one of the other things too, like yet another call out to Singapore in the way they approach things. Like at one point I had some uh IP address from Singapore was trying to break into one of my systems and I have this really bad habit historically of outing them on social media and I put it up and I said, "Oh, you know, kudos to this IP address for trying to get into my systems." 25 minutes later, I got an email from the second in command for Singapore Cyber Command saying it's been all dealt with. And I was like, damn. I wasn't worried about it, but they didn't even mess
about. So David Co, I know he's the head, you know, he's been there. But what's interesting as well, I think, is that consistency in leadership and management within Singapore. What you see often is is countries and governments and law enforcement. We're very transitional in our careers. You know, I made a conscious decision to stay in cyber because if I wanted a promotion, whatever, you know, at some point you would you'd have to leave. Yeah. And you look at how David Co and his team have done it with the civil service. They've got a really unique way of how they work. But I say they've also got a bit of luxury. Yeah. In terms of a
very stable government and things like that as well. They're not chasing the votes necessarily so much as well. So they're able to implement uh plans etc. Cool. Well, I got to be honest, this has been a wonderful conversation and I'm getting the proverbial hook from side stage right now, but thank you so much for being on the show today. Thank you very much for being here to be part of this event and uh we really appreciate your input. Thank you. All right, cheers. All right, you're listening to BIES Athens 2025 and we are going to be going dark again. I see my mic is about to be cut. So, we'll be back soon. See you.
And we're back. Yeah. Welcome the most. We're uh your I know your talk is coming up here. AI powered cyber defense detecting malware through behavior. Tell us a little bit what should the audience expect from this talk? Uh c can you repeat? Yes. What should our audience expect from your talk? Give us a highlight. Okay. So I I know this is an offensived driven let's say uh conference but um in through this talk I will try to prove that cyber defense is cool too right. So the idea is to see how we can fuse a two two modern traits of the modern cyber security and let's say it world. So we have artificial intelligence. Everybody does artificial
intelligence. Yeah. You said the magic word. Yeah. So we so somebody has to to do that and try to fuse that in cyber security and see how we can automate and enhance uh things because the adversaries are already doing that. Yeah. So when you say cool um give us a couple of examples. What do you mean by that? Well, you know, people usually talk about how they hacked into the system and how they found this vulnerabilities, but nobody actually sees or brags about how he defended uh an attack or how he uh actually managed to let's say avoid 1,000 or 10,000 attacks within a day. And you know there are a lot of system cyber security engineers that work in
defense and these are unseen heroes I would say behind the scenes. So yeah this is what I think it's cool about and you know when you fuse AI AI is cool by itself. So elevating the blue team game with AI in it. Um what do you say is going to be one of the key takeaways that you want people to internalize when they leave your talk today? Yes. So um since we are playing with technologies that are coming are are proving to be the future of cyber security. I want uh let's say to give a a small side to people on what we might expect in the in the next 5 to 10 years to see in a domain and how the domain
might change drastically because every other IT domain is changing and not only IT using AI. So I presume that cyber security will do too. because we have stayed a little bit behind you know we have very strong human factors uh still and and that's the key underlining piece of it is like no matter how much we get into artificial intelligence you know under all of it is the human element and we have to be very cognizant of that so if we're doing stuff like you know detecting malware through behavior analytics and things to that effect I mean that's going to make it easier ostensively easier on the operators that have to go through this because AI can
do the adequate but The human has to do the excellent. Exactly. You you must have a supervisor on top. You do not remove the human element. You just hide the garbage that one had to see uh so far and show them insights uh on what he might or she might expect uh and where to concentrate for analysis. Well, thank you so much for doing this community service and making sure that blue team steps up their game and stays cool with AI uh advancing. so quickly. Uh we're excited to follow your talk and thank you. Thank you. Thank you very much. Good luck. Appreciate it.
And we're back. Next up, we have Chris and Costinos uh with cyber security challenge uh redefining capture the flags. That sounds intriguing. What do you mean by that? Redefine how. Nice to be here. And uh yeah when we when we challenge uh it's a normal simple life uh but the community so the basic idea behind the security challenge is to bridge the gap between academia students and uh the professionals the industry so everything we do we focus on that other than that it's like a normal city of life with some minor cuts Sounds perfect. Uh what are some three point three key points that our audience should expect to walk out with today? Can you repeat the question? Three key
points our audience should expect today from your talk. So we're going to start kick this off with uh a quick introductory to the CTF what it's been uh where else it's uh happening because it's not only in Greece. It's actually about something that started off uh from 2015. Very cool. Uh 14 correct. Uh it came to Greece. So we're going to kick things off with that. And uh we're actually going to speak about uh the main things are the writeups. So give a bit of explanation uh what exactly how exactly we solve issues the challenges on this and um the outreach challenges that we had because yeah in Greece typically it's a bit hard starting out
something new especially uh especially when there is there are already so many of them out there um another big thing is also the transition from the geoperty style the main thing that typically everybody do to a more scenario focused uh approach. So and the main concept of course not to compete from now on but uh rather to have a learning experience and provide a value towards a professional experience as well. So the idea is to learn already for students that are not working at the company how exactly a professional approach is going. Right. So I have I have a question like one of the things that keeps coming up is people will say you know how do we get into cyber
security and things like that and one of the things I do suggest is uh CTFs and things like that. What would you say to somebody that asks that very question you know what is the draw for them to get engaged because a lot of times they feel intimidated and you know you want to have it as a welcoming adventure for them because I'll be honest first time I did one it was way too much fun. Um how do you bridge that gap from a psychological perspective? Yeah, that is uh an excellent point. Um indeed cyber security is uh although it seems to us like a field that has a lot of resources and free of them, a lot of
people don't know about them. So nobody pretty much knows about cyber security challenges and that's the outreach challenges that we're trying to solve. That's exactly what we're going to speak about. It's mostly community based. It's uh resolution eventually. Um but yeah it's up to now cyber security and entering the field is mostly with uh with help from somebody that is already in the field. It's not something that you can just say okay I'm going to do it without knowing anybody that can actually point you to the right direction. There are plenty of platforms like try try hack hack box that are free. They have a lot of boxes uh a lot of free content that is actually pretty
well written amazing. uh but yeah it's uh something that they really just need to Google but how do you know that Google when you have absolutely no touch with the field so that's something we need to solve from the universities themselves that's where everybody starts right I actually think to that just one one point that I I feel it's uh it's quite important here cyber security is not a different field everyone say cyber security is something different okay um I would study uh information uh technology uh computer science and just work in cyber security that is not going to work at least not in the long run. You need to establish a very strong foundation of the key components of
computer science networking systems programming and then start thinking about cyber security. Then everything will come naturally and it will help you in the long run. So we have to to focus on the basis. Don't start with a cyber security certification. There are so many of them out there. Start with a network certification. Start with a Linux certification. I tell people that all the time to cyber security absolutely it will take more time but the progress uh will be uh faster so we make that and I think they've hit a gold mine with a localized if we call it that localized uh content for CTFs there's a lot uh and I speak five languages right so in my head I was
not exposed to any CTFs in Albanian but you you got me thinking now uh so All of the CTFs I've done are in English, but I don't mean just a language barrier. I mean the I mean the cultural context that you put in with that, the scenarios you build, right? There's something about um customizing the experience to that uh local users and um students culture, right? And it really will stick with you better and memorize things better, I think, when you do the uh cultural play and the localized version of a CTF. Very cool. Well, thank you so much for being here today. Really appreciate that. Uh do you have any parting words that you want to share before we wrap up
our session here? Well, uh we have uh a talk in approximately 10 minutes. Oh, 10 minutes. Just enough time. Yeah. So, feel free to join everyone that wants to to learn more and uh and meet us in person. We are open for questions and uh we are happy to help. Excellent. You're at the right community event for that. and we're been speaking here at Bsides Athens 2025 and good luck with your talk in 9 minutes. Good luck, guys. That's funny. Thank you. Did I get that right?
Sure.
All right. We are back here at Bides Athens 2025 with uh Lee. Let's I'm not going to make a butchery of your name. Please introduce yourself, sir. Hello everyone. I'm Papa. Uh, try saying that, dude. And thank you so much for saying that because I uh my Canadian tongue can only do so many syllables at once. So, I really appreciate you being here and as a platinum sponsor here at Besides Athens 12, it's a really amazing uh opportunity for, you know, being able to be part of the community, but also benefiting the community as well. Um, what is your um overarching drive at 12? Actually, I didn't catch that. Oh, yeah. So like what what is your your mission
and purpose at 12? Uh at 12sec um we provide security services to a a broad clientele worldwide uh which uh branches across uh security assurance, security management, security training services. Um we are active also in the field of compliance with uh the well-known DORA and NIS2 acts for example. Yeah. Uh we are very happy to work in an environment which um provides us the opportunity to connect also besides we're very glad for besides Athens um it is um 12 always invests in the moving parts of um the personnel the consultants uh on one part it is the access it gives to its members to reach uh international cyber security conferences um but also through uh well-renowned
certifications uh if someone is um active on our LinkedIn or discord they may also know that 12sec recently reached um an agreement with offensive security uh so it provides all its employees with unlimited access to trainings, labs, certifications. So we have a very specialized personnel across all these areas. Uh and thus we can provide a very tailor made service to a global clientele. Very cool. So, um, for example, if you know, Widget Co or something like that, some company that comes along, I hope there's not actually a company named that, um, and they're looking for a tailor made program for their organization, that's the type of thing that you'd be able to assist with. I
would be able to, uh, be able to provide them. Yes. Um it is uh something that the project management usually usually deals with uh with uh communications with this client company where on a very handinhand approach we will discuss and assess the needs as uh communicated by the client. This will be communicated down to the consultants and eventually we always provide a something that is of high quality, a high quality output that meets the the either legal requirements or the actual needs or both actually of the client. Excellent. So with events like Bides Athens um here that's been running for 10 years um you know what what does it mean for you as an organization to be able to contribute to
this you know community events like this? It is actually a beautiful day today at uh besides 25. Uh we really love besides and the opportunity it provides um to get close to everyone each year. Uh we've been together with uh the organization from uh the first time. Wow. And we continue together every year and 12 is also a platinum partner to the event. That that's fantastic. We really do appreciate you contributing. It is uh something we are very happy about and in our booth um we are there. We are looking forward to speaking to cyber security professionals students enthusiasts uh of the field of cyber security. uh getting to know each other and inform um we're waiting everyone there. Of
course, I have to ask is the t-shirt you're wearing part of the swag you're giving away today? The t-shirt? Yeah. Yes. Okay. Actually, uh for those of you who can't see it online, it is a tell the Sorry. Ten Commandments of Cyber Security and Oh, this is just cracking me up. Um I made one of those. I know, right? That's awesome. It's something everyone comes um and every year everyone comes together and u bits and bites of ideas and a t-shirt comes out. That's awesome. And this is an industry that absolutely thrives on t-shirts and stickers. I I know that all too well. Well, cool swag, certifications, and a tailored approach. Um everything you need, 12 sex got it for you. So, thank
you. Thank you for having me. Thank you for uh contributing and uh to making this a an amazing event. Thank you. All right. Cheers. And we are here at Bides Athens 2025. We will be back in just a few minutes.
All right, we are back here at Bides Athens 2025 and we are joined by Abdi Tamar and thank you very much for being on the show. How are's your day going so far? So, thank you for having me. It's uh it's a great honor to be today here joining you guys at uh Bside Pats. It's my first time and looking forward to connect with the speakers and the attendees of the conference. Excellent. Well, one of the things that I noticed right away is your talk is about attacking SSO. So, I like you already. Um could you expand a little bit more on what you're going to be talking about today? Yeah. Well, I will start with a
funny story about this talk because I basically submit the same content but um it was more on the um defensive point of view like how we can make SSO secure. Um so this year I try to work a bit on my speech and my submission and also my research to be more focused on the uh attacking perspective. So I think this is what got me here today in uh at the conference and I believe this is one of the most um uh important subject that we um we took care of when it come to application security because um identity is already a complex topic. We have a lot of stuff going on a lot of standards
and um attackers are getting more and more familiar with uh how to uh abuse these standards and how to exploit it. So in any um mature organization today will definitely find a SO system. So it's important in my opinion to um have this attacker perspective in order to figure out what can be um exploited by a malicious actor um in order to abuse our SSO system. Excellent. Now, one of the things that I find is a real problem with SSO is it tends to be done in a peacemeal fashion in most enterprises where when they deploy it, um it's only doing core assets and it leaves a larger part of the organization exposed. Has this been your experience as well? Um
yes. Um of course and and this related to um um it's a shared responsibility between the applications and also the SSO system. So most of applications still rely on old-fashioned u frameworks which doesn't support the recent um uh protocols or standards. So this open the door for attackers to uh go through these um these open doors. Um the second point is um related to this inconsistency between users who belong to the SSO and the other ones who uh are authenticated directly with the this uh application. So from um governance perspective this may uh lead to uh dormant accounts and um other uh open doors that can be exploited by malicious actors to get into these applications.
How how is it has it been being here in besides Athens? Uh well, it's my first uh experience. The first time I'm visiting Greece. Oh my god. So it's again it's a great honor to be here at Athens, the birthplace for democracy, philosophy and also a good place for cyber security conferences. So I had the schedule for the next two days. I'm so excited about it. I came from Paris, but my roots are from Morocco, especially Marakekesh. So, the weather here is a bit close to my hometown. So, I have to come visit Morocco because I only just found out a few months ago that I am 2% Moroccan. Oh, it's not a big piece, but I got I
got part of it. And I was just like, that is super cool. Because I was hoping for like variety when I did my DNA test, and it turned out that I'm 99.6% Irish. So, So much for variety. Um, what is your biggest takeaway that you're hoping that people have uh when they see your talk today? Um, the most or the important takeaway I want to uh my attendee to um to have is um u go for the recent um version of the AFC standards that define how to use all. So a lot of effort has been made to um secure how we can implement uh this uh this flow or this grants. Uh if you
check the the previous one you'll see that there is definitely a lot of security hole that can be exploited. So it's important to keep up with the latest version of the standard and this uh for sure will guarantee the secure implementation of this uh this protocol especially in motor text. Excellent. Well, thank you so much for being here today. Thank you for taking time to sit down and talk with us in this very, very hot little room. Um, really appreciate it. Um, merci sal. Thank you. All right, you're listening to Bides Athens 2025 and we will be back in just a few minutes.
Welcome back. Uh, shout out to my little fan here for this because it's really hot in here. Uh, but welcome to our next speaker, George. Um, I know you just had your talk. Tell us a little bit about uh your talk uh beyond volume AP style data as filtration detection. What was it all about? We took a deep dive into how the AP groups. Yeah. In how AP groups exfiltrate the data. But uh in a sense because a lot of our guys in the incident response business they are looking for the action but a lot of times you do not have the artifacts to fight this action for the excitation as but uh you can find the artifacts of
their methodologies. For example, they use zip files where they zip the all the content and upload it for example in cloud storage or another filtration method they use DNS. Uh so we took deep dive simple thoughts because my main problem a lot of talks is I go to a talk I I'm I'm singing I understand the half of it and I'm like do I remember what what just happened? So my main uh concern on that presentation was simple things that the meth the the I want to get the the attendees to get the idea basically that you can track the methodologies not the actions because in a recent incident that I using for example we didn't have
the network artifacts we didn't have the expilation patterns on the network in the network logs so uh we came up with another type of methodology to find what happened basically we take the the ransomware group at the time um profile what tools they're using what they're doing for their exploration and trying to map it out and find what host had these artifacts. For example, the certain group that we were chasing and using arone. So when we found some commands uh there that used arone, we were pretty certain that this was the exitation point. It was the n server of this company. So it fits. So this is the main concept that you're not going to always have every bit of
information. So you have to think outside the box. Now when you're dealing with these sort of threat actors, what are some of the actionable intelligence that you give your audience when you're giving your talk is what they can use that is tangible today? Because unfortunately the media likes to spin off in different directions as you know ooh scary and all that sort of thing. But what's some practical advice you would have for them? um at the end of the day they are using simple things to excfiltrate the data. So a common misconception is that these rules these rational are going to use some software sophisticated tool to extrate the data but in the end of the day the thing that
it's more practical and this is the thing that not going to get blocked is things that an employee is going to use and his uh tail. So what this is what they are abusing basically they want to blend in. Yeah. They're going to go after you know user activity like users we're taught to click things. So I mean yes when you know by definition it it's we're our own liabilities. So yeah it's just definitely a longer conversation to be had there. Awesome. So uh have you been to have you presented besides Athens before or was this your first time? This was my my first time and my first talk in in English. So Oh, congratulations. You're
doing great for my English. As I have been told, my English are the most Greekiest English accent that you can hear. I have other friends. You're good. You're good. You're good. I'm Canadian and let's put it this way. Your accent is just fine. Um I'm still trying to figure out how to speak English. So there you go. Oh yeah. What? Let's try watching Dave speak give a presentation in Greek. He had stopped. Uh I would fail so hard. Um so what's next for you if this is your first talk in English is like do you plan to give other talks in English as well? Uh at this moment I don't have something planned out but uh I loved it.
So I'm eager and waiting for the next one to come. Uh but I will tackle ransomware groups on the next one for sure. Very cool. So that's one of the really amazing things is having these community conferences where you're pulling together like a thousand of your closest friends and there are literally bsides all over the world. So there would be lots of opportunities for you to give presentations exactly like that. And it's amazing that bides community events have really spawned from basically nothing to now they are basically the mainstay in a lot of markets. They're actually bigger than the corporate events and that's really cool. So, I really would give you a much bigger audience and having been a
speaker now for about 13 14 years, I can safely say it gets addicting really quick. So, you'll have a great time. You're welcome to come to Chicago or Albania for Bides for your next or Toronto to be honest. Well, thank you so much for being here today. I really appreciate it. But before we wrap up, do you have any key takeaways that you would like to share before we uh put an end to this about the presentation? Right. Whatever you want. uh in general be creative when how with your investigation and think outside the box because the problem is we tend to you know have a very standard methodology and cling to it. Mhm. And
this is the problem and another thing that I want to use is a problem that we have here in with a lot of cyber security experts as you can say or professional when you are referring them for about a group they do not want to get on that but it's like the example I give gave to the talk if you think about it if you are a football player you want to look at the big guys so this is this is happening and we have to have our eyes open excellent Thank you very much. Thank you very much, George. Really appreciate it. And you have been listening here to B Science Athens 2025. And uh yeah, we will be back in just a
few minutes.
All right, we are back here at Bides Athens 2025 and joining me today is Bill from Fortnite. Bill, would you take a moment to introduce yourself, sir? Okay, so my name is Da. I'm from the house of for uh as you say uh in committing the team of uh security engineers from different aspects. Okay. So talking about me I mean we I'm doing cyber security also for myself. Okay. But uh but I usually say like uh I like to build stuff. Okay. Not break build or breaker fix. That's that's fair. I I started out as a breaker so it's Oh, good. Yeah. Eventually got to the builder side of things and so how's that working out for you? Yeah. Good. So what
do you want to discuss about? Let's speak about a bit u how we see the cyber security uh in uh I wouldn't say no more in Greece but uh the trends that uh we see recently in uh the market. Of course I'm not speaking about sales about it. I speak about the the technical aspects. Okay. So the fundamental thing or issue challenge with the skill shortcuts I will leave that aside. Okay. So looking at the event of bside we love as a venttor all of this communitydriven approach that connect us not between companies but between different individuals. Okay. And uh we consider this that it's one of the key factors to find new candidates that uh
they want to do cyber security and the candidate thing it's not like uh uh seeing it from uh a recruiting let's say approach but uh seeing more and more people uh international cyber security and uh it's um I would say the different sides the event like from actual hacking, red teaming, blue teaming or whatever make it and uh we see a lot of uh young people challenging people. Uh some of them you see them also in uh companies and big accounts as as we say but uh at the end of the day there's someone kind of like doing something okay offensive or or defensive. So just great great content. Um that's one thing uh the second uh that would like to
mention is like uh we see uh more and more work that needs to be done on the secops things. Okay. Secops or dev secops things. Yeah. Yeah. So this is one of the main driven uh uh excuse me for the word of the of the business sites uh in our region. I mean the traditional security is no longer enough. Okay. Uh and uh we see a lot of uh different companies trying to fill not the technical skills like okay to get more people doing it but to to understand how to secure uh better of course will uh the automation I will not speak about AI. Okay. Uh yeah it's every single presentation has an AI
thing on it. Well, it's really become the the choice of the day. Like I actually serve on the CFA review board for sector security conference in Toronto, Canada. And we had almost 400 submissions and a large swath of them were speaking very heavily towards Aentic AI and it was amazing that a lot of the speakers that had submitted were specialists in Aentic AI but last year they were cloud specialists. I'm like interesting how the market pivots so quickly. the market pivots and uh you know uh everything is being run from marketing. So you become an AI expert in last two years. Okay. Or you becoming a cloud, you have a cloud expertise of 15 years. Okay. Uh it's the same like uh
with a new programming language that someone becoming an expert. Okay. It's here to stay. Okay. It's uh solving I have this thing like solving the somehow the skill shortage. Okay. In some entry level positions which is uh which is okay. We expect also that the search will become more and more automated. We live in a world of uh big data. Actually, we live in a world of big data even 5 years ago, but now it's uh coming uh more up. So, it's here to stay. Uh sometimes it I have a moto like security is like teenage sex. Okay. So, now we switch to AI. AI is like team sex. Everybody knows how to do it. Nobody knows how to do it.
So, everybody's doing it. It It's really amazing how things just pop up and people are like, "Oh, it's an overnight success like AI." But meanwhile, AI was coined coined as a term back in 1954. And so, it's the longest overnight success I've seen in a while. And, you know, with all the different aspects of things, you know, cloud security right back to the beginning of the dawn of the internet, security seems to be in a catchup phase in a lot of respects. Like when the internet was born, it was point A, point B, and security was never part of the equation. And do you see that being replicated again today with artificial intelligence where security
is again being forced to play catchup or do you think that we are hopefully getting to that point where we're ahead of the charge this time? Uh, good question. So going back a lot of years, okay, when we speak about medical security was mainly access control over the last I would say 10 years and we'll go on the AI thing. Uh we have seen things that we didn't know that uh existed because we didn't know what attacks were were coming. Okay. So the the challenge with the whole service security is like trying to catch the next uh the next big thing. So from uh an attacker from an attack perspective or from an offensive let's say position you always try to
find what is the the next not the next big thing uh but trying to cut really really fast. We as individuals, let's say, I'm not speak about companies, we're always falling back a bit on the technology and trying to catch up uh things. Uh the good about the the market that we are, I mean the whole cyber security market is that it's constantly changing. So what we see now we couldn't predict it even the the term exists from the settings as you say that uh we have this boost and it's being applied everywhere. So my personal opinion is that we're still trying to catch up to understand how we better can we use it and of course it
plays another aspect in the cyber security how we will secure it. Okay. uh or how we secure it or how we will use it to to make things where they will make us they will remove the say the the actual noise but are we them really good that they actually remove the actual noise or or not okay uh it's here to stay uh the challenge again is that we don't have a lot of people knowing about it I mean not knowing how to use it but that's one of the benefits of having a conference like besides Athens you're able to share these stories and I want to say thank you very much to Fordet for
being a platinum sponsor here to help enable a community event like this. We love community events. I will say that again. So uh we sponsor and we really like know the actual cyber security. Okay. Excellent. Well, thank you so much for being here today. really appreciate it and I hope you have a great rest of your day here at Bsize Athens 2025 and we'll be back in just a few minutes.
And welcome. Let's try that again. And welcome back to Besides Athens 2025. Woo. Here with us we have the meeting and Left. Uh they had a presentation about called painted purple and they're actually representing with the shirts today in blue and in purple and we are told there is a red shirt going around. So the three musketeers painted purple wireless security at the operating table. This was a workshop not for the faint of heart. What do you mean by that? Well, it's uh it was true to life. It was uh an attack simulation that was an an actual attack that you know a hacker a malicious hacker would have done in order to break in an enterprise
network and uh go even further not just you know uh acquiring the the password for the network but also providing a an evil twin as it's called an access point that's uh siphoning traffic and manipulating traffic any way you want. So, uh you can have let's say um present a fake uh website. If you present a fake website of an internal uh device like fake firewall then you can capture the the username and the password that the admins are using to uh log in the into the security device or maybe other infrastructure which is uh also common because you know in internal networks uh the IT administrator administrators commonly do not use actual uh verifiable uh SSL certificates
and they are typing in uh the IP addresses. So when they are presented with you know a warning that says okay this SSL certificate is uh not valid this is also common. So if you manage to siphon the traffic on an evil twin access point which is the next thing we're going to do after uh getting the password then you can also siphon and get out any kind of login credentials they use to to log into their own infrastructure. And if you actually manage to do that, then you've actually pawned everything. If you can go into the firewall, you can open open up, you know, the defenses and exfiltrate things and do whatever. So wireless security
because everything is switching into wireless is is of the essence these days. And u can we actually secure that? Yes, we can. We can we can do certain things. Tell us how how can we secure it? Yeah. Well, we can do uh a lot of things. we can do the uh chip security as uh as we said. So we can uh we can see uh manage the IPs that we have. So if we have a certain range of uh IP uh devices that uh we are using we we can say to the network okay we're not using any more uh C uh CC class 254 IPs but we uh we're using 10 or 12 or 20 as long as
uh we are sticking to the number of the people working in uh inside. We can uh we can even uh do it better and say okay we can uh use our MAC addresses cheap also uh spoofable yes but uh you have to know them first. So this is uh chip one uh two. We can uh go even uh further and uh implement WPA3 and uh this is uh very important. We can uh we cannot stay on WPA2 when we're talking for enterprise uh uh sizes right now and uh we can use the enterprise WBA also stronger. So uh there are a lot of things that uh we can do and uh work and work around. We can use um uh the uh
authentication of frames the uh uh what's the acronym? Oh the the PMF uh yeah and uh the 11W protocol and make sure that uh we are not uh deauthenticated easily and uh yeah because you know the the attacker is going to uh deassociate you from the access point and then inject the fake one you know in between and then allow you to authenticate again but it's going to be on the on the fake one. Yeah. So if you manage to not allow your associate devices to deauthenticate that then you have a very strong defensive point there for the network. So this is what WBA3 enterprise and uh you know the protected management frames protocol is
actually doing cuz imagine that right now we're talking to uh a lot of companies that they're moving along with their laptops. to go and sit on a different desk and uh it's very easy to uh to let's say deauthenticate to leave one access point radius and go to another. So deau authentication from one side to the other is something that can become very easy and it's part of the process. So you don't understand when it's when it's really an evil thing happening on your on your lap. It's something that okay yeah I switched to the access point because I moved to the other room. So it's something that it's Okay. You cannot do that globally
because you have IoT devices, legacy devices. You cannot do WBA3 enterprise with you know a legacy industrial system. So you have to segment you have to provide different SSIDs for different things. Then you have to uh allow for certificate for sorry for certain MAC addresses and certain associated clients. Let's say you have an industrial system with three access three clients connecting and then you have 200 employees working in the offices. You cannot have them all together. How how do you see things coming up like a legacy hardware for example like my wife was recently in the hospital getting some tests done and stuff like that and we saw a you know a pump there with various fluids in it and
it had an Oronco Wi-Fi card in the back of it. Yeah. So that's it's back when the world was flat. Um yeah exactly what I was saying you know all legacy devices are providing us with a good set of challenges because you know changing laptops and uh you know mobile phones they come up with new uh with with support for new protocols. Okay. But when you have legacy devices then you have to compensate. You have to provide segmented networks. You have to provide the strongest security you can have on them. And at some point evidently you have to uh um rely on on the security they can provide. And this is the most difficult part when we're talking virus because
you you okay you can have an SSID for the for the for the pump let's say okay but also the pump has to be able to protect itself at some point and when they age this kind of old devices they cannot really protect themselves very well. So some management systems provide no alerting and uh you have to use wireless IDs systems that are going to monitor IoT all the devices connected on particular you know very uh sensitive uh SSIDs as one for the power but one of the problems that I have with that is a lot of these IoT devices have minimal compute power available to them right so we look back to the example a few years
back actually quite a few years back right now where there was a light bulb that had a wi-fi attached And you could actually attach to that um light bulb wirelessly and pull the credentials out of it. Yeah. And the problem was is in order to replace that within the network because then you would have access to the network, each one of those light bulbs would have to be manually replaced. So it's like how do we get to a better place where we're, you know, doing security in a good way that is going to obiate those legacy or ill illconceived ideas. You need the purple team, you know, mentality. Really? Yeah. Yeah. Nice. Well played. We you definitely have to
uh to always test. Yes. So that's the that's why we get the the the red guys coming in. Yeah. Test the things, see what the flows are, where the vulnerabilities like and then the blue teams are going to get secure the blue guys in. they would start talking about segmentation and u make them uh very strict and u try try update the firmware if you can let's say the blue team is going to start with sorry your mic just turned over there so the blue team is going to go have you updated your firmware so okay you need to do all these things but you need to attack and defend and all the things together so you go purple
instead of you know just red and blue and essentially we have to put some pressure on you know uh vendors. Yeah, we have legacy devices but they have to provide the minimal set of uh you know security features years of support. Mhm. You have a legacy light bulb and it has one year of uh firmware upgrades. There you go. And and they have untested firmware so you can fetch things. So it's not just about protecting your own things if you are a big corporation and you can pay for permitting let's say. Okay. the vendors themselves have to abide by certain regulations that are going to to to make them step up into the products they provide. And hopefully
we'll get to the point where we're going to patch the matrix. Well, there you have it folks. Always be testing, always be securing. Um, and that's how we painted it purple. Thank you so much. They meet the end of day. Thank you so much. Thank you very much. Cheers. And thank you for being here at Bides Athens 2025. We'll be back in a few minutes.
And welcome back to Besides Athens 2025. We are here with none other than Sakis. And no, I don't believe he's going to sing us a tune anytime soon. Uh, how was your talk? Tell us a little bit about how it went. Hello everyone. Thank you for having me here. I believe it went well. Sparked a lot of interesting discussions after the talk. So I believe that everyone got the impression of what's happening right now with the browser extensions. They are now getting back to their office on Monday trying to review what they have already approved and uh what's in their list in their enterprise. Hopefully they are going to block a lot of them and uh
they won't get any malicious ones installed already. And it's not just the malicious ones, the ones that are just poorly coded that I've seen that have been really catalytic events that have led to bigger problems. So it wasn't that they were written specifically to be malicious, but yet they have the same impact, too. So how do we get to a better place where you know these browser extensions are doing what they're supposed to do and not exposing organizations to risk or individuals for that matter? That's a really interesting question. Problem is right now everyone can develop an extension. So we are also getting the issue with less developers. The problem that we are seeing right now
for our reviews is that everyone that wants to develop an extension. They don't fine-tune the extensions and their requirements and the permissions that they want to use. So they just follow a guide for a different extension, different total, different kind of extension. They add all the permissions over there. They request access to everything. Your storage, your cookies, your your session, everything. And the extension does only one thing. Just clicks a button and pops up a specific message or places a word. And yet they require all the permissions. problem is that once that's approved for your organization and you use that, that developer someday might go over there and sell it, that extension would have all the permissions to access
everything. You already have reviewed that it's already in your organization. Someone else owns it now and they can do whatever they want with that. So, do you recommend stuff like an enterprise browser as a way to help reduce the risk for an organization? Uh, that's one option that we can use but you have also have to restrict the browser extensions over there right and that's sorry that's what I was meaning by that is having a browser that's controlled by the organization so that you know people like me won't be able to add all sorts of extensions or write a poorly coded one I felt really called out at that point I'm kidding of course um the last time I wrote code I think
God was a boy scout um it's it's not necessary to use the specific speific browser for for that. You can just use policies on the the brow extension that the company is using. So there is no need to use a specific one that's related to security that can do that. Just you can use policies or specific uh tools. So you can restrict that or use a white list if you need some uh project for some tools that you're using internally. So you can narrow down the scope as much as possible. Okay. So you gave your talk earlier today, correct? Yes. Okay. So during your talk, were was there any um questions that really uh came from the
audience that resonated with you that you thought were um really good points that you would like to share there or was any key takeaways that you want to share? The with one question it was essentially related to what's happening with the environment right now. What I want to point out and uh what everyone should be aware of the project right now is that uh I would say it's a wild west right now although there is a a new enforced policy by by Google at this point. It's actually enforced at the end of this month. today. That's true. Oh, yeah. It's it's supposed to to enhance the security, but as I've already presented in my in my
talk previously, there are there are already a few ways that you can evade all all restrictions. I've point out some specific details so you can look at where you're doing your analysis. So, right now, although it's uh more secure, it's harder to do it, but you know, we are trying to do something think they're always away and uh it's always it's always that game kind of mouse you are chasing the one is chasing the other so we're evolving as we are evolving they are also evolving so that's that constant race everyone's trying to be ahead of the other right um is there any browser out there that you would recommend people use in order to
reduce risk or is it when you say wild west it's like full-on wild west across the ecosystem It's h more or less the same on uh on every browser. Right now the majority of the extensions are deployed on uh because it's the widely used browser. So the majority of those extensions are for Chromium based browsers. For example, Google Chrome, Brave Edge right now uses Chromium based. So all those browsers are using the same extensions. So it's expected that they are getting all the all the heat and all the attention from uh the attackers. If you want to stay safe, you can opt to use a different uh different browser. But that won't help you in the long
term. If you don't click the correct uh URLs, if you don't uh pay attention what you are installing, it would end at the same position. But uh the attack surface is probably smaller because you are in the oneird of the extensions that's is doing the source. Excellent. Well, thank you so much for being here today at Besides Athens 2025. Really appreciate your contributions and being part of this communitydriven effort. Thank you so much. Thank you so much for having me.
and welcome back here at Bides Athens 2025. We have with us in the booth Yuo. Thank you very much for being here and could you take a moment to introduce yourself, sir? All righty. Thank you very much. So, my name is Yu Ya. I know it's quite hard to pronounce for nonfits people, but uh uh so I'm based in Finland. I'm working for Accenture. I've been doing cyber security for 11 years I think. Yeah. Mainly uh digital forensics, incident response, malware analysis and so on. I'm very active in the cyber security scene in the uh Finnish like a Finnish local scene, but uh I'm now involved with the malware village in Defcon as well and doing this
kind of stuff. So organizing as well speaking in. Are you going this year to Devco? Yeah, I'm good. I'll see you there. Yep. We'll be in town again. I was actually a Defcon goon for 13 years. So that was crazy. So your talk is coming up in just a few minutes. You're going to be talking about weaponized open-source applications. Would you care to elaborate on that before you head on stage? Yeah. So basically my talk is about keypass and um one blackbusta initial access broker who has been using keypass as their initial vector to the organizations uh for the past year and uh I came up with the uh I was actually dealing a case where the client was
compromised uh by the sector and then I started researching it and uh I had a first talk about this I think in February this year and there was nothing on the internet about the campaign uh But uh then in uh May uh kudos to wit secure company who had also been researching the same thing and then they released their report on I think in late May this year. But uh that's that's about it. So it's malware analyzis uh about the uh key loader which is the u malware they have been using to get the initial access. So was the sorry malloader a compromised version of keypass or was it? Yeah. So basically they are doing their own fork uh from
keypass and then they are creating fake websites and doing malicious advertisement on Bing uh so that they can deliver the malware to the client. So so that antivirus 2009 was probably not something I should have installed on my computer. Yeah. Yeah. Yeah, but to be honest, it's uh for for example, the case I'm talking today about, they had the uh like MDE uh the Microsoft Defender for Endpoints and until this day, I don't know if it still detects the uh key loader. So really, that that's disconcerting to say the least. any best p practices, key takeaways um as a teaser for the audience from your talk. Well, of course like I'm talking about one case. So there are lessons to
learn section as well and also uh but I what I really want to highlight for all digital forensics in response companies is that you have to do the malware analyzes part as well. Many companies are just doing the forensics and many companies don't want to pay for them over analy but you miss a lot of details about the incidents if you don't do that. So that's my well that's my own agenda too. Yeah absolutely holistic approach right? Very cool. All right well in the interest of time we'll start to wrap things up here because I know you have to get on stage. So um I may be butchering this but kitos. All right that's correct. Hey. All right. I got
that right. Well, thank you so much for being here and I really do have to find out where you get your tattoos done because that's some excellent work by the way. All right. Well, thank you so much for being here and good luck and uh yes, best of luck with that on stage and uh be sure to check that out if you are here on premise today. Thank you very much. And you are listening to BIE Athens 2025. We'll be back soon.
[Music] Heat. [Music] Hey. Hey. Hey. [Music]
[Music]
Heat. Heat.
[Music]
That's quite interesting. I've seen it now like
[Music]
Go.
livestock. Yeah.
Basically electrical engineering.
Hello Excuse
me.
Maybe
perhaps This is
Steve. Thank you to
F of
salad.
Thanks for subscribing.
[Music] Heat. Heat. Heat. [Music]
[Music] Heat. [Music]
offline. All right. So, I will take this. Um, yeah. No, this really this title of this really intrigues me about, you know, weaponizing a conditional bypass and in tune. Could you tell us more about that? Yeah. So, first and foremost, for the audience who might not be too familiar with the subject matter, um, basically um, Intune is the device management suite for the Microsoft ecosystem. Basically companies can manage their corporate devices on on that um system basically. But um the the way it works is a lot of companies are restricting signins to their corporate emails, productivity apps, all that to you know locked down the company device only. So there's a check that okay if
the user signs in from the company device you're you're allowed in. If you're not then I'm sorry even you have the password even you have the 2FA so historically company has felt quite secure quite safe um having this these these kind of controls in place uh and so um when there was rumors uh in December winter last year saying oh someone can get past it there was like some ruckus in the community saying ah is it possible it's real is it not isn't that a day that ends in why a ruckus in the community. Uh well, I suppose a lot of organizations rely on this. That's fair. That is fair. It's sort of like the data
boundary, corporate data boundary. They they trust Microsoft or, you know, some other vendors um to implement uh this feature security at least. You know, it sounds sounds like something you should do really really well because you claim that you know the the the attacker can't get in without device then it should be that way. So I suppose there's a bit of like what? So there was no veracity to the story that was going about or uh sorry um there was no uh like substance to the story that was going about that you're referring to or ah so a little bit but not too much I guess I'll talk about the nitty-gritty here uh and I'll do the technicals in the talk
instead. So um initially there was a rumor because uh it was a payw wall um wall garden tool tooling uh uh suite that I shall not name. uh one you know well-known developers in the in the space he's saying oh I'm gonna give a talk at said war garden uh telling people how to do this and and everyone else was like oh okay you pay wall but you if you say you can do it fine we trust you and then and then subsequently um so so let's let let's name him researcher A and then researcher B came on blackhead Europe in London to give to to talk about the same bypasser and Then the the bird is out of the cage now and
then researcher a come on come on out and say okay fair enough okay it's now public knowledge I I I shall give the community a little more hint and it was from that hint so what what was given was the uh inune company portal app as well as an application ID in the cloud um so so it we come into the story now um with that knowledge we rush we were might first to rush into you know reverse engineering from that two bits of information to to get the bypass working and release it uh to the community for sort of like um the community sake because I we we believe in open knowledge. We we don't think as
a red team you should hold out TTPs too much uh because uh the the more open the knowledge is out there the the better everyone is is my belief. I I I wholeheartedly agree with you on that point because, you know, sharing this knowledge will help, you know, improve security across the board and ultimately float all boats. Um, forgive me on the timing because I'm a little sketchy as to when things are happening. Have you already given your talk or you're about to give your talk? Uh, we'll we'll be in at um, you know, quarter to quarter to 3 p.m. Quarter to 3 p.m. All right. So in in leadup to it, are there any key takeaways for our
audience online that you would uh want to share? So um that's a very good question. Little teaser. Yeah, little little teaser. I' I've talked about sort of the um like the leadup to it, I suppose. And uh and in in other in another visa besides Hong Kong I talked about more the the disclosure part where um so for the audience uh we published the blog post blog post and the and the tool uh on 20th of December uh without much public fanfare because we don't want to make a big deal before Christmas right because blue team needs Christmas but but then on Boxing Day. So a lot of drama there. Um we we're hearing you know whispers again uh of
actual exploitation while using that as well as some other researchers you know sharing our repo without you know uh crediting us which not very nice behavior. No that's abjectly bad. So so fortunately I have made the all the socials ready just just you need to hit send then. So well we hit send on 27th and you know that that post blew up overnight you know and and and and the rest is history you know um originally uh I'm going to talk about the vulnerability in the in the talk itself so so audience can can you know anticipate or or or feel excited about you know attending and and also you know we'll we'll upload the the talks later
anyway so for those who can't make it so don't worry. Excellent. Uh but what what my takeaway was um there was a couple of community figures around uh the disclosure which did not credit us and I asked nicely hey uh influencer X it's been very nice that uh you share this um but can you you know give two credits where is due because you a lot of hard work from our end to to make it happen and and you know we want to we want people to read our bottles as well because it has original content and so on. So, so they responded nicely and and fairly um uh reshared our content and so on. So, it was all good
in the end. I was about to say name and shame, but you didn't have to. That's really good. Exactly. Well, I want to say thank you so much for joining us today and really appreciate your contributions here at Bides Athens 2025. This has just been an amazing event and really cool to be able to talk with folks like yourself and so good luck with your talk. Thank you, Davis. I do have one job in the last if I'm allowed to. Uh so jump we are planning to open open a um Greek branch. Oh wow. Nice. So so for those in audience I we'll sh we'll shout that out in the the talk as well but we'll be working with the uni
and uh some other industry partners to expand our business uh in this area. So look forward to look forward to that. So you heard it here first. Jumpac is going to be hiring in Greece. Awesome. Thank you so much and good talking to you. Cheers. You're listening to uh Besides Athens 2025 the podcast and we'll be back in just a few minutes.
[Music] Heat. Heat. [Music]
[Music] Heat.
And we're back here at Bides Athens 2025. My name is Dave Lewis and with me is and I think there's something wrong with your microphone because I can't hear you through the headphones at all. Test now. Test now. Not so much. Anyway, we'll we are very fortunate to have the sponsor here from Alphabet as a gold sponsor to Besides Athens. And if you could well, it's good to have you back in the room. And I have to admit it's so hot in this room that I actually have already forgotten your name. Could you introduce yourself again for the listeners? Yeah, sure. Uh my name is Demetrius. I am the chief security officer for Alphabet Subcurity and also
the founder. Today I'm a partner. Uh, Alphabet is a cyber security company that's stemming from, you know, the the realities of cyber insecurity coming with it. I've been around since many years. It was uh since 1996 1997 that I have discovered a few things going not so right with you know networking. uh so coming from IT and ICT and you know the convergence of things I found out that there's a true need for for information security and cyber security as we call it today. So the company founded 2008 has gone through a no cyber security transformation. Today we are specialized company doing 95% of cyber security work. Uh we have three main pillars of you know um operations. The
first one is what we call uh governance, risk management and compliance. also providing uh technical uh the technical aspect of risk management for our customers meaning vulnerability uh management and uh penetration testing and different so security assurance activities uh that go hand inhand with you know proper uh risk management. On the second pillar uh we are providing uh security operation support for our customers as in manage security services and operational assistance on different on projects or on different things that they need. And on the third pillar which we are very proud of is we we are providing instant response and mostly digital forensics work. We have our own in-house laboratory. We're not you know um dripping information to different
laboratories. We we do all the work inhouse. We have our own analysts certified and we are very very proud of the support we are providing for customers going from the from initial breaches or you know incidents that have been discovered all the way to supporting the seuite on decision that have been made on providing assistance on how to contact the authorities providing assistance to legal teams because they need to you know uh tend to the interest of their customers and all the way into the courtroom. whatever is needed for customers to uh to see their interest through a a bridge or or a cyber security case that has to do with digital evidence etc. So that's
alphabet. We we have we have a good understanding of the of the cyber security chain. Uh we are stronger in other parts less strong in other but we we we can provide u a strong support for our customers and that's the way we do and and that's one of the really key pieces there that you just highlighted on is saying that you know you're strong in some places but not in others. And that's not a bad thing to say. And there are so many companies out there, they'll say, "Oh, we do everything. We" and it's really disingenuous to the customer. So right there, you're really doing a lot to establish your bonafites and trust. And most importantly, you're here
supporting the community, right? It's events like Bides that are for the community, by the community, and thanks to sponsors like you. Well, thank you so much for joining us again. This has been uh this has been interesting. I we've got a very hot day and also love the t-shirt. So if you're here at the event, stop by and see the Alphabets guys for their uh really cool swag. Thank you so much, guys. Cheers. Byebye. All right, we will be back in just a moment.
[Music] Hey, hey hey. [Music]
[Music] Heat. [Music] Heat. [Music]
What's
[Music] the [Music]
And we're back here at Besides Athens 2025. And it is my sincere privilege to be able to uh welcome uh none other than the founder, Dr. Greg himself to the podcast. Welcome. Thank you. Nice to be here. Nice to be interviewed by the one and only Dave Lewis. Well, it's not only me. We have as well. Hello. Yes, of course. I'm I'm coming to you first because I'm I'm waiting the ambush. So, Oh, okay. Save the best for last. Ambush. Ambush. Would I do that to you? Um, only because you saw me in this little hot room and I'm sweating to death. But the really cool thing is is I came in here weighing 180 lbs. I'll
leave here weighing 112. So, I do appreciate that. Close. So, this has been quite an adventure for you as a founder of an event that has been really become a wildly successful thing. Like last, well, not last time, first time I was here, it was back in 2017 and it was a very small offering then, but it was really good. It was really well done and I was quite taken by that. And here we are nine years later, the 10th anniversary of this event and it a thousand people like how does that feel? It feels amazing. Uh but we are exhausted trying to do it as a community event. Um thank you for being here as well. Um thank you for
supporting us with with the podcast. Um thousand people. Yes. Um we can go much much larger than that for sure but uh it takes a lot of effort and it's not only me I mean I have a team that uh they are equally motivated they're equally um inspired by giving back sharing learning from each other and this is amazing Stephanos who's been his first year volunteering and he's jumped into um helping us with the podcast. For example, one of the things that we kept saying while setting this up, we're learning new things. We're learning new things. It's so nice. We're learning something beyond of what um we've done before. And I'm sorry to the viewers and
to the listeners that we haven't done it perfect. Um I'm sorry maybe some sound problems, some visual problems. It's a community event. Please forgive us. Um we will try to make it even better the ne next year but uh everybody's having fun and at least for the people who are here everybody's having a very good time apparently and minor things I think we can oversee for now and we will improve in the future. Well, and that's the beauty of it is is with events like this, it really is a learning experience and it gives opportunity for all sorts of people within the community to work together on things like this. And when I had a moment to step out earlier into
the lobby there, it was absolutely staggering how many people are out there having very engaged conversations all over the place. And it it's really cool. And when you say that you can grow it in the future, I I jokingly last year was or maybe two years ago was poking you about having it the amphitheater by the Acropolis. Yeah. And then I realized how bleeping hot it is here in Athens at this time of year. Unfortunately, this weekend it became really hot suddenly. We were not expecting to be that hot. Um we um one of the core values of this event and what we all looked from the beginning was to invest a lot in the quality of
the event as much as possible as much as we can. Yeah. So we want people who um come to the event, respect the venue, respect what we're the effort, respect the speakers, respect the participants, everybody um respect each other. We are we are we try to do our best and I think over the years a lot of speakers and a lot of previous participants like yourself who you came the first time in 2017 you've seen that we're trying our best honestly we're trying our best to make a very safe environment very friendly environment very welcoming environment um and the event gets this kind of reputation and speakers like travel from so many different places across the
world including Canada and including Alvin um to to be here and we had from Japan, we had from South Africa, we had from all over Europe, we had from Brazil. Like it's it's amazing to see that people take the time to plan and come to Athens for for this opportunity and and that's the beauty of it is when I come here, I'm actually seeing people from quite literally all over the world. So, I really appreciate the effort that you and all the volunteers have put into this and I really thank you for taking the time to speak with us today. Uh, I'm I'm being told I have to give you the hook on off of the stage, but uh, yeah,
I'm sure you have plenty to get back to. Thank you so much. Thank you for the experience. I hope you're enjoying despite the the fans, the heat. I'm making a vacation out of this. I came here to practice my fantastic. Dave's been back so many times and I hope you see you again in the future. Don't don't skip a year because of the hot room. But I left Canada steam room. I left Canada at 42 Celsius to come to Athens at 32 Celsius. So, this is actually improvement. Excellent. There we go. Thank you so much. Thank you. Okay. All right. We'll be back.
at Besides Athens 2025. Thank you all for listening in and we have our next guest in the room, Alex Holden. Uh would you take a moment to introduce yourself for the listeners? Appreciate it. Absolutely. My name is Alex Holden. I'm chief information security officer at hold security in uh United States and here in Europe. Uh we do cyber threat intelligence incident response and old fashion pan testing and run teaming um and find interesting things scary things on the dark web. Amazing. Welcome to Bides Athens. First time here? Absolutely. First time in Athens as well. Perfect. Perfect. Quite an interesting title you have there. Why I go to the dark web every day. Tell me about that. I spent uh beginning
of my career in cyber security over a decade in corporate um structures building defenses as high walls as possible so the bad guys can't get over it. And then uh 15 years ago I went into private uh consulting practice and start getting questions from our clients. Who did this? Why did they do it? What are they going to be doing with data? And I realized that over a decade of defense, I didn't even think about it. So I start uh asking questions and also understood very interesting thing. Technology changes and makes extremely difficult for us to figure out um what the bad guys are up to but humans don't change and the humans that we can change and
monitor. Um right now cyber criminals on dark web. So that's why I go there uh to be ahead of the curve. Amazing. That's that's a great strategy to keep up and keep reinventing not only yourself but the way you think and keep up with the attackers. Um I know you had your talk already. Um any interesting questions that came up during your talk or any interesting thoughts that the audience shared. Uh the the big thought is u you know for most people like why should I go dark web? So you know I I can explain why I do that but by why by why by why by why by why by why by why by why by
why by why by why by why by why by why by why others and the big thing is that uh we need to learn about adversaries building defenses for the sake of defenses don't work uh and we're not effective enough and we in many cases being sold by vendors by society by media a problem that may not really exist. Understanding what uh the nemesis is against uh and what they're doing currently right now actually helps us to build uh much better defenses make us uh much more conscious and more upto-date information security professionals. Absolutely. Can you share maybe a couple of key findings that um you have come to realize in the past few months just from
browsing the dark web? Absolutely. Uh so uh One interesting thing right now uh with ransomware uh the threat actors actually offering their affiliates access to lawyers. So it's no longer your stolen data that will be uh available to the bad guys to sift through. It's a lawyer uh who works for the bad guys going to go and from compliance from legal from all these components and uh that lawyer would actually evaluate the data will tell the bad guys what is potential value of the data how to blackmail the company correctly legally and the lawyer would actually do negotiations on behalf of the bad guys. You're not going to be dealing with a half drunk uh hacker who
just sit there and ts. It's going to be a trained uh lawyer who's going to be putting pressure which actually they learned you know uh uh law school uh how to extort uh the victims and this is just one of the many main values I can see some grounds for disparment at that point. Um, so it's really amazing in that whole market space is like if you look at, you know, DDOS for hire is another great example. I've seen videos that they produce advertising their platform and that they have 24/7 help support and things like that. So the having lawyers available that doesn't surprise me, although it does at the same time. Um, they're they're so well
organized as attackers that they've turned it into effectively a business. It is a business. And if you think about it, uh, an average, uh, successful ransomware game makes in excess of $10 million a year. So, it's not, uh, small, uh, issue. And, uh, more people come to this because uh, they are being lured to uh, these monetary gains because they completely unwarranted, they're completely illegal. But uh, for many uh, bad guys, it's much easier than uh doing it uh the oldfashioned, the legal way. So, $10 million. I think I have a new uh job prospect there. Well, thank you so much for joining us today. Really appreciate you taking the time to come in and have a chat with us and uh
unfortunately we are uh short on time, but thank you so much and uh yeah, it's great to have you here at Bides Athens 2025. We'll be right back in just a moment.
2025 and in the booth with us we have Nick and Speros. Welcome aboard. Thank you for having nice to be here. Um first and foremost Nick, you were the one that gave the talk today, correct? Uh would you like to give a little brief background as to who you are and what is it you say you do here? Sure. Uh so I'm an associate professor at Stonybrook University in Long Island, New York. Uh and um I gave a talk today about content integrity. Uh and Spo and I have actually formed a small startup that launched actually last week and seemed to sort of fix the issues that we discussed today during my talk. Excellent. And just for those listeners
that are at home that didn't have a chance to see your talk, what would those issues be? So I made this bold claim that a lot of seemingly different problems on the web are actually symptoms of one greater problem. And we identify this problem as stateless linking. So when I link to a be it a JavaScript file or a remote website uh I actually have no guarantees about what it is that I will get uh today, tomorrow, a month later, a year later. So we are actually linking to boxes rather than the content of boxes and whoever is the owner of that box can radically change what is being served uh when a user follows that link in the
future. So in traditional security there is this general concept of um time of check to time of use attacks. Mhm. We essentially have this variation time of link to time of use attacks. So, I could create a link today on the internet, let's say, to a regular website that I like, that I trust, that supports my point of view. But there's no guarantees that in six months from today, that domain will not have expired. Someone else has picked it up. And now, whoever is the new owner claims the exact opposite of what the old link claimed. And and that's a very salient point. I used to have a uh a link shortener. It was a do.zip website, and it I lost
control of it because heaven forbid I renew the bill. Exactly. Um, and yes, it's exactly what happened. The malware provider started trying to distribute links that way. Interesting. Any interesting questions that came up during your presentation from the audience? Uh, no, we were running a bit late on time. So, uh, but, um, I definitely saw people kind of realizing as I was presenting more and more issues that were treated as separate issues, right? So, we have, let's say, a domain name expiring that you used to for JavaScript. Now someone else registered this and can deliver malicious Java to your website. So we treat this as one problem. Then I I made another claim that a uh reason for our low media trust
is actually because of content integrity. So we've published papers where we show that news outlets will actually change the headlines and the actual body of their articles post publication. I have seen that. Yes. But the the problem we have here is that humans are conditioned to click links. Exactly. So how do you you know provide that level of security? So we it depends on what you're trying to do. So for example uh you know in our startup we are uh trying we are offering a solution where we will crowdsource we will use crowd sourcing to identify all your links and then we pass them to filters. So I will find out let's say a link on
part of your website from three years ago is actually pointing to something malicious today or to something that's not safe for work right or to a local website. Uh we have this cool findings. So there was this if I have time I can cover this you got sort of top tier academic conference called accs and there was this edition of this in 2018 and they registered a website accs 2018.org And this was a website where all the papers were hosted, all the program was there like like security besides a right so what actually happened at some point someone stopped paying the bill right and if you visit this site now and you have pretty much you know the entire
let's say academic web pointing to this age CS 2018 it actually redirects you to a Thai betting site right and so we have this blog post on our site that is you know from the ivory tower to putting it all on red Right? Essentially, you know, this problem of content integrity, right? We we have links, the links point to boxes, but whoever is in control of the box can radically change what is being served uh when you ask for that. Very cool. All right. Um what's next for the startup? Uh finding clients. You heard that audience? Yeah, that's right. So, we pretty much have to convince people that hey um this is an actual problem, right? Because people
may not realize oh what is this thing that we tell what are this link security what are we talking about right so we have to convince people that you know all your external links are actually part of your attack surface uh and if your site is large if your site is old there is there is zero chance that you have a complete picture of what it is that you're linking to not just if it's old I mean even new links as they come up as you take your content and you publish new things you can always uh full it's an external link Now it's okay, but in 3 years from now you might be gone. That's right. Fair enough. Fair
enough. Um, do you have any last uh thoughts that you like to share before we wrap up here today? Uh, I just the final part that uh I s I showed on my talk this triad of CIA confidentiality, integrity, availability and I made this claim that integrity doesn't get a lot of love, right? And actually people should really think about integrity as a property that requires safeguarding. That is beyond fair. Yeah. because it's always the confidentiality, sometimes the availability, but seldom the integrity. That's a very salient point. Well, I want to say thank you very much for being here today and thank you for being part of BSI Athens 2025 and I hope you have a great rest of your conference
and
[Applause]
Heat. [Music]
Hey Heat. [Music] Heat. Heat. [Music] Heat. Heat.
[Music]
[Music] Heat. Heat. Heat. Heat. [Music]
[Music] Heat. Heat. [Music]
[Music] Heat. Heat. [Music]
[Music] Heat. Hey, heat. Hey, heat.
[Music] Heat. [Music] Hey Heat. [Music]
Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. Heat. [Music]
[Music]
[Music] Heat. Heat. [Music] Heat. [Music] Heat. [Music]
[Music] Heat. Heat.
Heat. Heat. [Music] Heat. Heat. [Music] Heat. Heat. [Music] Heat. [Music] Heat.
Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Hey, hey hey.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. Heat. [Music] [Music] Heat. Hey, heat. Hey, heat. Heat. Heat.
[Music] Hey, [Music]
[Music] hey hey. [Music] Heat. [Music] Heat.
[Music] Heat. Heat. [Music] [Music]
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. Hey, heat. Hey, heat. Heat. Heat. [Music] Heat. [Music] Heat. [Music] Heat. Heat.
[Music] Heat. Heat. N.
[Music] Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. Heat. [Music] [Music] Heat. Hey, heat. Hey, heat.
[Music] Hey hey hey. Heat. [Music]
Heat. [Music] Hey, [Music]
[Music] hey hey. [Music] Heat. [Music] Heat. [Music] [Music] Heat. Heat.
[Music] Heat. Hey, heat. Hey, heat. [Music] [Music] Heat.
[Music] Hey Heat. [Music] Hey, [Music]
hey hey. [Music] Heat. Heat.
[Music] Heat. Heat. [Music]
[Music] Heat. Heat.
[Music] Heat. [Music]
Heat. [Music] Heat. Heat.
Hey hey hey. [Music] [Music] Heat. [Music] Heat. [Music] Hey,
[Music] hey hey. [Music] Hey, [Music]
[Music] hey hey. [Music] Hey,
hey hey. Heat. Heat. [Music]
[Music] Heat.
[Music] Heat. [Music] Heat. [Music] Heat. [Music]
Heat. [Music] Heat.
Hallelujah.
Heat. Heat.
[Music]
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat. N.
[Music] Heat. Heat.
Heat. Heat.
[Music] Heat. Heat. [Music]
Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
[Music]
[Music] Get [Music]
[Music] Hallelujah. [Music] Heat. Heat.
[Music] Yeah. Heat. [Music] Heat. Heat. [Music]
Heat. Heat.
Heat. [Music] Heat.
Heat. Heat. Heat.
Heat. Heat. [Music]
[Music]
[Music] Okay.
[Music] Hallelujah. Heat. Heat.
[Music]
Heat. Heat. [Music] [Music] Heat. Heat. [Music]
Heat. Heat. N. [Music] Heat. Heat.
Heat. Heat.
Heat. Heat.
Heat. Heat.
[Music] Beyonce.
[Music]
[Music]
[Music]
[Music]
Heat. Heat. [Music]
What's up?
Heat. Heat.
Heat. Heat.
And we're back here at Besides Athens 2025. And apologies there. We all had to have some lunch and touch grass, all that sort of fun thing. And it is really amazing to be back here in Athens, Greece because it's we're really getting to talk with a lot of really cool people. And that is I know to put a finer point on it. It's I've lost my train of thought, but one of this cool people. That's what I'm trying to get to. Yes. And let you run with this because I'm obviously defective. No, I it's my fault because uh I kept talking to Dave outside at lunch, so he's out of out of energy. Uh but here with us, we
have Costadino. So, which I had the pleasure of meeting yesterday. Um and his talk today is going to be titled Cyber Warfare in recent armed conflicts. Talk about a very very timely talk. So, uh, Costanos, introduce yourself a little bit for the audience and, uh, give us an overview of what they should expect from your talk today. Right. So, hello everyone. I'm Constantinos. I work as a senior security engineer at Performance Technologies. Um, um, I also I also teach uh, cyber security topics in New York College. Um, and currently I pursue my in cyber security. So today's talk is about um cyber warfare. Um I've chosen two conflicts, two current conflicts to examine. Uh these
two are Russia and Ukraine and Israel and Palestine. Um due to recent events, I had also to change my presentation at least two times during the last month. Um and uh I combined this presentation international relations, uh, geopolitics, cyber security. Yeah. Curious question. Do you also link it up with the kinetic warfare or is it a an overlay to it? Uh, what warfare? Um, the shooting war like for example the phys the physical war. Do you have it integral warfare? So, do you have it as integrated with it or as an overlay? I try to focus more on cyber warfare but as you will observe later in my presentation you will also see that many
occasions they are used uh together right so yeah this is an aspect of cyber warfare that is yet to be um examined and there there is no current doctrine that defines how it should be uh used more effectively so community are actually thing right now. Very good. Um so when when you're giving your talk today, what are some of the key takeaways that you want your audience to be able to leave with um with respect to um the content? Well, first and foremost that we're doing baby steps in the cyber domain. We have not yet explored the whole range. Um, also I think that I would like to um mention my presentation some of the
ethical implications uh of cyber warfare because um even though we don't have like mass killings or I don't know maybe at once it doesn't mean that cyber attacks are less dangerous than conventional ones. Um, so yeah, I think these two sum it up. I know your company is also a sponsor for besides Athens. Do you want to spend a couple of minutes talking to us about your company? Yeah. Well, my company uh actually um were not specialized in the cyber security field. Not until five years ago when they created their sock service security service uh and their offensive team and that's when they started uh the whole journey in the cyber world, right? They were integrators at first. They
implemented technologies. Um so yeah, it's a very nice thing to have you here today and this event. Well, I'm sure you're going to represent them diligently and this is performance that we're talking about. Uh, good luck. I know you're a first time speaker and um a very respectable um field of academia. So, thank you for coming out and supporting. Thanks. Thanks. And I do have a question before we wrap up there. Do you have any spoilers you want to give away to our listeners who are not actually able to be here in person? spoilers or maybe something that most don't know or it's something misunderstood about your field of research. Well, actually uh many people believe that cyber
warfare is like conventional warfare in the sense that it includes two sides like two opposing sides, right? Cyber warfare is not like that. Since many a groups and threat actors take part in these conflicts, they all their secret agendas. So there are multiple sides. It's not like conventional law. That's one of the interesting things I saw with the mapping of the various different threat actor groups and seeing how not only do they have share different uh operators from one operation to the next like you know lockback group might have somebody that ends up going to another group. Um you're you're right that they align with different geopolitical factions. So, it's really amazing to see how that not only shifts but shifts on a
consistent basis. Um, and for the average lay person at home, is there anything that they can do to better protect themselves against cyber attack against cyber attack or educate themselves or get educated maybe if they they're not ready to defend? Well, don't use weak passwords. like we left but that's one of the simp deal with central warfare have the same principles as we do like it's the same thing right they exploit with passwords they exploit unpatched systems everywhere is the same like yeah they should follow the safe guidelines and that's it cool well I really appreciate you taking the time here today sorry I just had to throw in a Couple more questions there because I am just innately curious and
also very hot from the room in here. So, you're going to let it ride filled, right? Exactly. Um, I really do appreciate it. Thank you so much and good luck with your talk today. Um, which track are you going to be in? Which which track are you going to be in? Oh, track one. Track one. Oh, okay. You got the big stage. Nice. Excellent. Well, thank you very much for stopping in and you've been listening to the Besides Athens 2025 podcast and uh yeah, we'll be back soon.
[Music] Heat. Heat. [Music] Hey, [Music]
[Music] hey hey. [Music]
All right, we're back here at Bides Athens 2025 and joining us in the booth is Yorgos and thank you so much for taking the time to be in here. But before I say anything, I absolutely love the t-shirt you're rocking there with uh you know your friend and mine, Darth Vader. Um quite enjoyed that. Um so your talk today what is it you're going to be talking about uh for the audience here it's self-healing networks am I understanding that correctly networks no software systems oh systems sorry I read that wrong don't worry about that uh so yeah basically it's largely my I'm a PhD candidate by the way university and it's basically my PhD work we're
trying to figure out if there is any way should be a way for software systems to actually be able to understand their own issues for example of security vulnerabilities and be able to patch the issues on their own with minimal to ideally not uh human intervention. So pretty much like the human immune system one would say it creates its own antibodies and it kind of makes uh makes sense with with adversities. So that's really interesting because um I've never done it from a software perspective but from a networking perspective I did it with you know various different protocols using VRP between firewalls and things like that so that when one site would go down it would seamlessly
fail over how do you accomplish that from a software perspective uh accomplished not yet it's early uh there are some good indications that we can accomplish to some extent some uh what you're talking about is also fault tolerance uh in one sense which is part of uh of the whole healing let's say process if applicable of course uh that's also much more dynamic what you're talking about in the software you whenever there is an issue and you need to patch it you need to first find the solution and then uh as we say push it to production whatever that may mean uh ideally not directly because you may break everything but there is a significant process which
involves a lot of testing a lot of uh uh CI/CD pipeline going uh going going over and basically uh after everything is done then it's pushed to production and merged so that's when the issues sort of resolved so it's a bit of a longer process time wise and having some healing part uh some ideally but Let's do some first and then we can transition to everything can greatly hopefully greatly increase the time the response time and such issues. All right. So um which do you think is going to be more beneficial the human intervention or you know relying on automation to address these sort of issues? more beneficial um for the enterprise for example from
an enterprise customer perspective um do you think there is that possibility we can get to the point where automation or god help me AI is going to be of a benefit from protecting organizations or is this more we have to rely on humans for the foreseeable future to protect so for the foreseeable future I can't really tell uh a short story when I was writing my PhD proposal I was thinking that AI models and GPT like models could be one final part but from the moment I wrote it till we actually started the whole implementation and everything uh the whole AI uh thing had skyrocketed to such extent that we just couldn't ignore it at all anymore so it uh jumped into
the whole forefront of uh of the idea so how soon it can I don't know. For now, we we do need human intervention and it makes a lot of sense. AI still makes mistakes, still produces unsafe code for everyone. You should know that it's not always safe to rely on AI code and uh it still is not proven at a large scale enterprise level. So for now, I think we are based on human intervention and AI assistance. Uh but needless to say, human teams should also be having the cognitive ability to understand issues and not solely rely on AI to solve everything for them which is uh which is almost a crime against humanity sometimes as we as we are using it not
we everyone but a lot of human beings even high school students nowadays and get their exercise done is not very well it's funny because MIT actually released a study recently I think it was like a not even a week ago where they found they had 54 candidates and they did brain scans on them. Half of the candidates worked on you know chat GBT and various other platforms like that and the other half used it just to augment what they were doing and they found that their uh brain processing capabilities dropped measurably on the ones that were solely AI for everything and whereas the people use it as a 1x didn't have any appreciable declination there. Actually
that's kind of interesting from that perspective. Um I thank you very much for joining us today. Um do you have any big takeaways that you would like to share before you uh from my talk or in general? Oh whatever you want. Generally speaking uh trust AI but you also need to trust yourself not the AI much more than yourselves. And knowledge is power obviously and we still need to have that knowledge in order to actually use it. And from my point I do believe in the to a sense in a sense I do hope that AI can aid towards having more secure software around and uh but not completely replace every human being planet earth in
software terms and we also need to focus more on designing the same product now that coding won't be an issue anymore. Excellent. Security by design. There you go. Or security by default. Thank you very much and good luck today. Cheers. All right, we'll be back in just
[Music] Heat. Heat. [Music]
[Music]
Besides Athens 2025 and we're going to be introducing our next speaker who is Oh, wait. Crap. It's me. So, my name is Dave Lewis and I'm going to be talking soon. So, I'm going to just stop and turn it over to you. Exciting. Now you get just me and my emotional support fan. So, how do you feel, Dave? I mean, you've done quite a bit of work here today talking to speakers from all over the world, uh, their presentations. Uh, but your title seems quite interesting. Uh, black swan events and building anti-fragile cyber security systems. Uh, bit of a little bit of a loaded title there. Break it down for us. Well, there there's a rationale behind this. So
there's a author named Nissen Taleb and he wrote a book about black swan events and these are imps that have massive impact but in hindsight could have easily been fixed and he wrote it from the perspective of uh trading in the markets as an example. But when you take the lessons that he learned and outlined within his book and apply them to cyber security they're absolutely applicable in that we see these massive data breaches and then in hindsight it's like oh somebody forgot a patch or something like that. But it's like how do we avoid these uh issues and how do we have systems that can take a hit and continue to operate? At a previous company, we
had a u a system that was not 59s, it was 100% uptime and we were able to show demonstrabably that was the case. Uh we even had one nation state actor try to test us and they weren't able to take us down. So nowadays when I'm working here at one password, one of the things we're doing is trying to figure out how we can improve the lot for enterprises all the way down to SMBs and the individual so that we're making them more resilient so that when they're worried about their security that our stuff was able to go in and be that connective tissue that pulls it all together. And so this talk is more of a highlevel abstraction as to
how we can do security better because there's so many missteps and I mean I've been perfectly guilty of it too. I've done silly things over the years that seemed like a good idea at the time, but we really have to figure out how we can codify uh our practices because you look at you know the medical profession, you look at juristprudence and you realize they have literally hundreds of years of you know shared information that becomes canon and then within respects of cyber security we're if we're lucky we're 40 years old realistically um as a industry vertical and I think that if we're able to capture these lessons learned and build systems that can take a hit and
keep on going that ultimately will be able to obviate the issues that we see from black swan events that can be driven by bad passwords, shadow IT, uh poor implementations of agentic AI, all of these types of things that really expose organizations and individuals to undo risk. Yeah, absolutely. Our previous speaker here was talking about a self-healing self-healing systems, right? Uh, and it sounds like you're going to go into that a little bit. Um, inadvertently. Okay. Yeah, inadvertently. It's very much a similar type of idea. So, for me, it was more from a network perspective historically because I built a self-healing network for one power company. And I remember at the time the there were two physical
locations that um, one of the engineers had wanted to use BGP to handle the load between the two of them. BGP. It blew my mind because the two buildings were 20 km apart. So it was kind of pointless. Um, so we were able to change that all out and have VRP between the firewalls, all that sort of stuff, so that if an individual system failed at site one, site two would pick it up seamlessly. So it ne it was always a hot hot situation, not a hot cold standby type of approach. Now, our previous speaker was talking about it from a perspective of software security, which I mean is absolutely applicable, and I honestly haven't spent a great
deal of time in that space. So uh, if you're going to check out his talk, that would be wise. Um, yeah, I I think that we can and will be able to do things better in the future as long as we start moving away from tactical responses and look at it from a perspective of strategy. What are two takeaways you want everyone to walk out with after your talk? One of the ones is do the hard stuff because anything worth doing is going to be difficult. Mhm. Um the other piece of it too is you know making sure that we are looking at how systems can be resilient under stress because the attackers are coming at us with a
sorry for the listeners out there. The doororknob just fell off the uh door to our office. We're still powering through. We're still powering through. We're we're resilient. There you go. Anti-fragile podcasters. That was not rehearsed. That was not even close to rehearsed. Um but yeah, so you know looking at it from that perspective of you know building systems that can take a punch and keep on going. Absolutely awesome. And you're no stranger to besides Athens. Um no I've been very fortunate. I was here for the second one and a couple instances since then and quite amazingly they had me back again. So I'm really glad to be here and be able to uh podcast with you today. And
I'm going to actually turn it over to you completely for about an hour as I go off and do my talk. Yeah, it's been a pleasure. Good luck with your talk. Uh, your audience is going to be in for a treat. Um, and then I'll I'll catch you later. So, thank you very much. That's it.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music] Heat. [Music] Heat. [Music]
[Music]
And welcome back everyone. You're listening to Besides Athens. My lovely co-host is now presenting his own presentation. So you're stuck with me. And I have the pleasure of welcoming with me Martina from Accenture. And we both have uh emotional support fans with us today to keep up with the heat. I love it. Uh Matina, introduce yourself a little bit uh for our audience. Thank you for having us. I'm Matina. I'm security manager at Accenture and I lead the cyber protection stream in Greece and Cyprus. Amazing. No small fit there. Um, have you been to Besides Athens before? Many times. Amazing. But it's the first time Accenture comes as a sponsor. Yeah. Thank you so much for
your support. We couldn't do it without you. Gold sponsor Accenture. Um, tell us a little bit about Accenture and specifically your department and what you do. We have a new department in security approximately 4 to four and a half years and we're mainly in application security, cloud security, data and AI security, postquantum security, everything related to security and GC of course. So we handle solutions around security for our clients. Well, you're definitely at the right spot in terms of finding practitioners and uh engaging conversations with them um as well as asking them the right questions. What are the what are maybe some key things you're trying to get out of besides Athens this year specifically
with our 10 year anniversary that is this year you know we as exchanger have been have believing that giving back to the security and the tech ecosystem is everything. Our our core values align with what besides wants. For example, we want to nourish the security culture. We want to collaborate with each other. We want to foster innovation and that's exactly what we are here to do. There is no better spot to start than besides. Mhm. Uh how would you describe? I myself uh this is the 10th Bides that I've uh gone to. I try to go to B sites internationally, go to where I speak the language and try to understand the nuances of each culture
for each community different bides. How would you characterize the community of information security in Athens in Greece and Cyprus specifically? In Greece and Cyprus, yes. Well, we are quite new community, but we have the privilege of being local but acting global. So, we are able to bring listen to people coming from abroad tell us a few things about the new technologies what are the trends what are the innovative things and of course this hasn't let been left behind I'm really happy with the state we are at now regarding to security and of course things are progressing really really fast but I think this is at the right spot um what are maybe a couple of tell me a
few points point of advice for uh young students or those transitioning in cyber security as someone who's very successful his with Accenture. Um yeah, share a couple uh bits of advice with us. Well, at first join communities and events like we had besides like this one. Yeah, like this one. Yes. Um it's a very good start because here you will see other people having the same passion as you. cyber security. You will see your ideas. You will exchange ideas. You will network. You will find companies or vendors that you want to collaborate with. You will find interesting technologies that you didn't know existed. So start by being a part of an ecosystem and then build your network
forwards. And by that we mean actually signing up to volunteer even if you're intimidated or you have no idea what to do. Um a lot of times the people that are organizing this because it is for the community by the community um it is best effort right so uh we try to show the ropes to each person that is interested and then slowly you start to like climb the ladder and maybe you'll organize your own event. Oh, and if you're in an area where maybe there's no local community near you, why not take that bold step and you create your own? Um, additional to that, we need to focus on the inclusion and the diversity part.
I see many people right now looking for jobs in cyber security. But unfortunately, I can see little portions of women. Okay. So I started with cyber security 16 years ago and was the only woman in the in the domain. I know a little bit of that. Yes. And I would like to say that there is no specific background that you need to have in order to follow a cyber security career. You can be from a physics department. You can be for a mathematician department. can be for an exact an a different background but also succeed in cyber security. There are so many streams you can follow DC strategy consulting risk assessments vulnerability assessments even management leadership
increase and security leadership is missing. So we definitely need more people and I actually I see quite a few women here today. So I'm excited for that. But that means we have work to do in training them to go into leadership. Any specific organizations you would like to highlight? I am personally involved with a local affiliate for women in cyber security whisies. Uh yay. Uh there is so there is one local chapter here in Athens. Okay perfect. and also um women for cyber I believe they have a little bit more uh representation in Europe as well as whis women security and privacy they're also a global organization but they um combine a little bit of the privacy side
so I actually get to work with data privacy lawyers which uh I that's a whole different side of security if you think about it though they are legal professionals uh but yeah any any local efforts you would like to highlight for Greece and Cypress I'm also a member in the women for cyber. I've been their mentor for the last years. I am also expecting their big event coming in September. So I'll be speaking. Oh, amazing. Yes. And there are a lot of communities that we can foster here in Greece. Okay. I'm also a member in the organizing committee of open conference that we also try to foster Greece as a strategic destination for venture capitals, for
startups, for digital nomads. Yeah. So, I truly believe in the volunteering part of the community. If we have any international audience right now, I think she just sold you on moving here, becoming a nomad and contributing to the Greece cyber security uh industry. Uh, amazing. Any uh last thoughts that you would like to share with the audience? I'm really happy we're here. It's a very good starting point for a new professional to come and see what happens regarding security to come and meet passionate professionals that really are eager to move forward with the innovation and with their new ideas. H so I'm really happy to be participating and I promise I will be participating for the next years.
Amazing. We'll see you here next year. Uh that's it for now. We'll be back shortly.
[Music] Heat. Heat. [Music] Heat. Heat. [Music] [Music]
Hello everyone, we're back. Hello. Um, with us today we have Olga. Olga is part of the organizing committee, specifically the capture uh the call for pertification. Um, Olga, I'll let you introduce yourself and talk a little bit about your involvement with Besides Athens. Yes, of course. Thank you. H. So, I'm Olga. Many of you may know me because I've been doing the CFP for Bides Athens since 2016. I'm wearing the first t-shirt that we had today because I thought it's it's an anniversary. I'm there's a many reasons that did not allow me to be in Athens today. and it's really really frustrating that I'm missing such an event but I believe everyone enjoys it and it's been
I heard Greg earlier yes we did put a lot of effort in every year we're trying to make the event better for everyone bigger um to bring in new ideas introduce new things and it's really it's something that we do uh because we do enjoy the involvement. We enjoy the interaction with uh the community and it's all about giving back to the community. It's about giving back to people and that's the main drive for us and I can I just hope everyone enjoyed it. I absolutely I tell you I traveled all the way from Chicago to be here and it's been nothing short of amazing. There's people from a lot of different places. Um, and you certainly reach an
audience way beyond Athens and Greece. Uh, do you want to speak a little bit about the submissions? Maybe did we have a variety? Uh it's since the uh first round of this event since the first year we've been receiving many and very interesting uh abstracts for presentations. Last year and this year we can see the difference. The number of uh uh presentations we receive is beyond our expectations and to say h it's been impressive. We we love that people want to come to Athens. The quality of the presentation, the quality of the talks is impressive. There's times that the selection this year was very very difficult. We've got an amazing uh review committee in place.
We've got people from across the world uh supporting us with reviewing the submissions and the talks. Uh and still it becomes there's so many we've got a scoring system. So every year every year the um cultural presentation starts around towards the end of January and runs usually until April. So we do give potential speakers quite some time to submit uh and then we start with the selection process the reviews on the selection process. It's impressive how many uh presentations receive very similar high scores because the quality is impressive and that's what we really really uh also appreciate from everyone that is wishing to come to Athens and contribute to the event because it wouldn't be such an
impressive and successful event at the end of the day if we didn't have. Thanks for your help. Thank you so much, Olga, for tuning in. We definitely miss you here, but we'll see you here next year. Hopefully next year. Thanks everyone. We'll be back shortly.
Thank you. I'll see you later. Bye. Heat. Heat.
[Music] Heat. [Music] Heat. [Music]
[Music]
Hello everyone. I'm back. Um,
quick change of headphones over there. My uh co-host Dave is still not um back, but uh I'm very happy to have next with us Jessica. Uh Jessica has been uh an amazing part of um and the reason why we're here today with Besides Athens. Uh great uh job organizing everything. Um and she is uh an upcoming speaker for uh her session in 10 minutes actually. So, uh, Jessica, introduce yourself for us a little bit quickly and then talk to us about an overview of your presentation. Sure. Thank you so much for having me. It's very nice to be here. Thank you to our technicians as well. Um, so I'm Jessica Rousu. I'm a core organizer here besides
Athens. Thank you all for being here with us making our dreams a reality. Also, in 10 minutes, I'm doing my talk on EU Dora. the operational act the regulation that has taken the financial se sector in Europe by storm over the past couple of years it went live back in January and I'm here to share our lessons and our process for getting there but also what does the next day of Dora going live mean for the industry I've heard a thing about a thing or two about it in the US um do you want to give us a quick some quick pointers about the takeaways the audience will leave with especially for th those who couldn't join with us um in
person today. Yes. Um well, operational resilience is hard to grasp as a concept because it encompasses the company's own cyber security uh incident management, business continuity, vulnerabilities management, third parties risk management. Uh it has so many uh information and data points to capture and process. But where regulators are looking at are not at the traditional incident management alone and the risk management where you have a risk register there and you come up with your risks, you monitor your incident and feedback into that but rather the unprecedented threats. So how do you build capabilities for the futures for threats that you don't even know that you are suspect to? So make sure your organization is very robust and
resilient and able to uh to respond to those when they do materialize. And um what are uh as anme in GRC? What are some uh maybe bits of advice you would share with the audience today especially for those that are uh maybe thinking about moving into this spa uh area uh or those already in it and want to become more successful. Oh, very nice question. That is um so my advice for the GRC program in the business which wasn't exactly part of the question is to plan for the future and to uh make sure whatever you build is uh it can be repeated and scaled and improved. That's the advice I'm going to give to GC professionals as well.
Technology is changing fast. New people are coming in the industry. We partner with different parts of the business. new challenges, new regulations. So, make sure you always build for scale. No custom solutions, no point in time solution, but rather think strategically for your career and also for your job and the programs you build. And um any specific organizations you would like to highlight um especially for women in um cyber security at least here in Europe? [Music] There's not many of us. So I know I've done quite a lot of work with whisies. Early we had uh earlier we had Martina from Accenture with us and we spoke a little bit about the programs we're doing with whisies women in cyber
security with uh women um for cyber security which is more prevalent in Europe. Um but yeah so I was wondering if you had any anecdotes to share with uh your involvement there. Well uh I live in London and I'm following the latest of London hacking society. They are doing great work there. They are all volunteers and they are teaching hands-on workshop from their own personal experiences. But also I found out that in the other events in the industry like was London is square London the environments are very inclusive. So I attend those as well because they are a great opportunity to network to contribute to learn to offer and and yes they are very uh friendly
and open to any ideas. Yeah, and I can attest to that. The the audience here is very diverse today and you guys have done a great job. So, thank you so much for um organizing all of this and inviting us. Um and I'll let you get to your presentation and we'll be back with you shortly. Thank you. Thank you so much.
[Music] Heat. Hey, heat. Hey, heat. [Music]
Heat. Heat. [Music]
[Music] Heat. Hey, heat. Hey, heat. [Music]
Heat. Heat. [Music]
Hey everyone. Hey everyone. We're back. We're back. Next up, I have Javier Javier. Javier Martz. Javier Martins. Can you do a quick introduction for us? Yes, sure. Uh well I I'm not really involved in besides attendance but uh I think I have a good experience with the event because I think if I remember correctly that's except when there was the the lockdown for the covid I think that I attended almost all the editions since the first one and particularly I remember the very first one because uh it's always like this when you have a besides even starting for the first time it's always uh a challenge for the organizers because you don't know how many people will submit, how many
attendees you will have and so on. and I submitted and I was accepted and so I I spoke at the very first uh edition and if I remember I think I spoke maybe three times maybe four anyway I don't remember just for like that's that's a big deal congratulations but I I I try at least to be present every year uh since for two years I'm also part of the reviewers for the talk but from I I basically I'm sad this year because I had to travel for SAS because I starting uh next week I will teach in Singapore. So I had to travel and I'm in Singapore right now. But I like to be in Athens. I
like the atmosphere. I like the city. I like great people. I like Greek food. Come on. The Greek food is so amazing. Yeah. So uh this year it was not I was not able to to make it. But I hope that next year I will be back. would love to have you back. Um, I personally came here this year because I want to speak in Greek. Um, and I like to travel with besides wherever I can. I can, but I actually came all the way from Chicago. Chicago. That's so nice. Yeah, but we will I'm like you. I like to travel. So, uh, yeah. on the other side you see attend Singapore. Yeah, it was very difficult.
It's really really hot this weekend. So, you dodged the bullet. I I think that we we have pretty the same temperature. Uh yesterday we had 33° uh 31. Today it was it's but that's the the the typical weather in Singapore is super wet. Super wet. So, uh we had also some thunderstorms today, but tomorrow it will be better. So, I still have a few times to to uh to visit nice places, but it's it's not my first visit in Singapore. So, I I know where to go. I know the nice places. And on Monday, back to work, I start my my uh my training. Amazing. Uh Javier, tell us a little bit about what it means to be
part of the review committee. like it because uh sometimes for me the the the the most funny part is that I see how people have crazy ideas and sometimes my reflex is oh my god why I never had this idea because I I submit to so I I I speak at multiple events and uh sometimes I also got an invitation and the organizers hey Z can you join can you present something but I have no idea. I you know usually when you try to to uh attend an event people expect to have fresh meat a brand new talk with brand new research and sometime I have nothing to say and I say yeah but I'm out of ideas and when I see
the crazy ideas that some people have oh it's crazy that that's the the the funny part for me about reviewing talks. Any advice for someone who's listening and wants to take the step and submit to talk to a conference like besides give us some it's a hu it's a huge debate because uh some people I think that they are afraid to submit and uh they say the feedback because when I when I discuss with some people they say yeah but I did something which looks stupid basically I will compete with top level speakers and so on and I I I will never be accepted first if you don't submit you will never know so submit
submit submit and it's better to be maybe rejected but usually you get some feedback and in this way you can improve that's also very interesting because you can learn for example you have to work on your abstract you have to provide more details you have to go deeper and so on. So my best advice is don't be shy. Submit, submit, submit, submit. And I think that there was also a rookie track. Now if I remember well at beside or maybe not decision but there was one or two years ago there was a rookie track. So if you are a brand new speaker and you think that you are not able to to attract the attention of a complete
room or a big audience using rookie tracks but sometimes that's for the newcomers and you can you can talk for the first time. So once again submit submit submit have crazy IDs and do not hesitate. That's my best advice. I love it. Chances are that because this is such a tightknit community, if you are speaking about something you're passionate about, most likely it will come through to the audience and they will see that and a lot of people are super curious. If you're in cyber security, you're innately curious. So you will get an audience no matter what. Defin definitively definitively and uh well it's it's I I think it's the same for all of us working in this field. We
have passion. I think that if you are not passionate by cyber security you will never work in this field. You can't you can't. So um if you are motivated and you have a crazy idea go ahead talk and of course people will see that you are motivated and even if your English is not perfect even if it's the first time and you cannot exactly express your ideas you have your rights and maybe after the talk people will come to you and say hey by the way I have a question about research maybe we can collaborate I try another tool and so on. So once again, do not hesitate. Go shoot and submit talk. And we all get better with
practice. So I mean, English is not my native language, but the more I practice it every day, it's becoming like it. Um, yeah, exactly. Don't be shy. Yeah. Oh, and reach out to any people that have been former presenters and ask them if they can mentor you or maybe review your presentation before you submit it. I'm sure everyone will be more than willing to help out. Some some conferences do that. Honestly I I don't remember if besides attendance do that but some some conferences they have a mentor menty system and basically you can be uh supported and uh I would say not not an expert speaker but somebody with more experience will be able to train you go
this way do that write your slide in this way uh for example don't put too much information on your slide don't put uh times you are more eight on all your slide because it's unreadable. Put nice pictures. Try to make funny comments. Have some memes on your slide and stuff like that. So, it exists. It exists. Definitively. Yes. Well, thank you so much. We definitely miss you here, but we'll hopefully see you here next year. Um enjoy the conference. Thank you. Thank you. Have fun. And I hope that next year I will be back. Yeah. Thank you. We'll be back soon. Bye-bye. Bye.
[Music] Heat. Heat. [Music] Heat. Heat. [Music]
[Music]
Hello everyone. We're back now with George. Um, George, can you introduce yourself uh to the audience? Uh, yes. Uh, hello. For me, my name is George. Uh I represent the company Crypton Drone Technologies which is a Greek innovating company of uh dealing with drones and all the services around uh UAVs and uh we are the first company actually in Greece we have developed uh a minivan which is a command control center mobile command center. Very cool. uh it's an innovation that uh can handle the crisis and all this uh uh disaster crisis that can happen. So the van it's autonomous 100% with fully uh equipped of uh generators and double type cells. We have communications we have that
center inside and servers. So let's say in the case of an emergency or a crisis or a disaster or even a war uh all the communications can go down our vans not it's going to work so we're going to use it uh at any uh sorry my English is very bad you can say it in Greek uh in any industry they can ask for us let's say min of uh uh defense or general health or uh uh crisis management or civil protection, we we can handle that. So yes, we are here to help our friend Greg. Yeah. Yeah. We spoke to him earlier today. He used to be my student mate in the university. No way.
I can tell you spill out the details. Yeah. Okay. Oh my god. maybe enough for the podcast. It was more than uh six or seven years together. Amazing. Roommates and classmates and uh so I know everything about here and that's what Bides Athens is all about. Community building um friends showing up for each other and supporting at uh each other's events. Yes, that's true. We we like to support all people, you know, whatever. We like innovations. We like people to do something and um uh present new stuff and new ideas in our in our city in our country in everything. So yes uh we current this kind of uh uh events and uh of course we current
besides Athens and uh this is our fifth year I think like oh actually it's on the first year 2015 I think. Yes. Yeah. From the start. From the start. Yeah. But like uh like an organizer or volunteer or how you call that staff. Yeah. This is our third. It's our third year. Amazing. And uh we would like to see more. Yeah. Yeah. We we believe it's going to be better year by year. And uh I can give you a hint for next year if you want. I think it's still the details next year. The plans is already on the table and I think it's going to be massive. Really massive. I'm scared. They just, you know, I made a little
vacation out of this. I flew all the way from Chicago. Um, but yeah, that's definitely a teaser. So, you guys are welcome to come to Chicago as well. We have our bides in October. Yeah, why not? Uh, make the company go international. Um at the moment is a company focused mainly in the Greek territory or um uh at the moment yes we have some uh some communication with others as well uh they are very interesting in our concept because our van it's a concept. Yeah. Okay. It's not it's an idea but it's a concept. Okay. And uh it's fully autonomous as I said before and also it is mobile of course it can handle a lot of things and uh
also it's modular so you want to use it for a UAV control center you can use it you want to use for communication center you can do that as well you want to use it as a data center or a penetration control center or data management you can use it also you like uh for added drone systems. So it's modular. You just put whatever module you want on it and uh we can develop it and it can work like that way. Very nice and definitely a very noble mission behind it. Um any uh last thoughts you would like to share with the audience maybe how you're enjoying your time here? I think it's very interesting all these
speakers that uh I I had the little time to interview them you know but it was very interesting uh about the new stuff and uh all the cyber security I know nowadays it's very uh it's not a fashion it's it's not a model it's not a uh you know something new for us it's something very old because as I say I was a classmate with Greg so I know the story about cyber security and all this stuff but uh I think in nowadays this is where things happen everything is going to turn around in the cyber security in the in the security general in this kind of u uh systems so it's very interesting to
know new things and to know how you have to protect yourself even with small small bits you know like password security and Wi-Fi security and all this stuff every bit can handle all the cyber security that you need to know. It's all of uh it's a responsibility for all of us. Not necessarily if we work uh we don't have to work in it but you know we all have families, we have elderly people that we can take uh take care of and there's a lot a lot happening out there that we should be mindful for. Well, thank you so much for coming out and supporting. Uh we'll back we'll be back shortly. Thank you. Heat. Heat.
[Music] Hey, [Music]
hey hey. [Music]
Hey everyone, you're listening to Besides Ethens 2025 podcast. Uh this is Ulana and with me I have uh my friend Wasim. got a chance to um meet him yesterday and talk a little bit about our cultural backgrounds. Uh but I know you had your talk today earlier. Um how did it go? Share share with us a little bit about your talk. What was it all about? All right. I I think it was a good talk. Um we are doing a niche cyber security area which is protecting organizations who have SAP systems. So um for some people it was something new exciting um for other people they wanted to understand how can we protect a black
box like this because for cyber security and infosc people SAP's a black box when it comes to their organizations. So what we did or what my talk targeted is the open-source project that we're um I helped co-create and lead um on OASP which is what we talked about the OASP for business application security project. Amazing. Um did you have any particular interesting questions from the audience today? I think mainly about how do we actually protect SAP environments? So there's a lot of shift in technology and the recent technology of using a platform as a service or using um the cloud now what SAP is is offering. So they had a lot of questions and very um we get it a lot
also from our customers because we concentrate on this area is how do we protect it? So where do we start? How do we let's go into that. give us a little maybe like do you get couple of points? I I only have three minutes but let's do it. So I think the most important part is the the main idea of of of our company which is called no monkey and it comes from breaking these silos between security um audits and um um IT personnels. So the first thing that you would do is break these audits or break these silos. I would say that would be the first step. It's easier said than done. Absolutely. Um, but I would
definitely then look into building a baseline for SAP, understanding it from a different perspective because when you hear about SAP security directly, that community um is built around authorization and access and identity access management, but it's way much more. And this is what we're trying to go beyond just authorization. It's a part it's a big part of it, but there's a lot of different areas within an SAP system that you can definitely exploit. Amazing. Thank you. Um, this is your first time at Besides Athens? Athens. Yes. It was quite good. Quite interesting. See how big it is compared to other B sides around Europe. Right. Right. I would say the almost a thousand attendees. That's that's a lot. Um, I
know we had one in Chicago. It was around 300 and we're going to have another one. So, to be deal attendance. Um, how are you enjoying your time in Athens? It's quite good other than the heat. Oh my gosh. Yes. Especially this room is steamy, but the audience knows that. I could feel it. Yes. But it's it's quite amazing. I've been to Greece before, but not Athens. And uh did some exploring the last couple of days. Nice. Nice. Two more days to go before going back to Germany. So, this is where I'm based. Yes. What's next for you? Any upcoming besides or presentations that you're going to be part of? I think for the next month it's a break because I
was in troopers before. I forgot I'm in Europe. You guys take vacation here. Exactly. So, uh the next stop would be um i
Related talks
37:13
16:00
34:30
6:20:25
29:48
24:37