Research and Development


  • Security Engineering – A manifesto for defensive security (6/28/2019) - Presentation on the need to re-examine how we engineer systems (taking service providers as an example) and the implications on how we quantify cyber risk if we want to take this message into the board room (as given at BT’s SnoopCon 2019 and Cisco’s June 2019 Knowledge Network webinar for service providers). Having delivered security […]
  • So you want to build a SOC: Lessons from the front line (6/20/2019) - Presentation on building an effective operational security capability (as given at Cisco Live US/Talos Threat Research Summit 2019). This talk will not help you build a SOC in only 60 minutes, but it will help you build a functional security operation over time. Building a SOC can be daunting. This talk will look at how […]
  • Is that really you? The importance of identity in breach response and recovery (6/18/2019) - Presentation on Zero Trust and the importance of identity in breach response and recovery (as given at InfoSec Europe 2019 on the tech talk track). Richard Dean, Cisco’s EMEAR Head Of Security Advisory Services looks at Cisco’s approach to zero trust. This talk discusses the need to monitoring your users’ access and privileges and how […]
  • Discover the secrets of the SOC (6/18/2019) - Presentation on building effective SOCs (as given at InfoSec Europe 2019 on the interactive workshop track). Simon Crocker, Cisco’s EMEAR lead for SOC Advisory looks at what goes into making a SOC work effectively. This talk discusses the core SOC requirements around monitoring and incident response function, but also touches on some of the other […]
  • Where 2 worlds collide: Bringing Mimikatz et al to UNIX (12/6/2018) - Presentation on Active Directory integration solutions for UNIX (as given at Black Hat Europe 2018). Over the past fifteen years there’s been an uptick in “interesting” UNIX infrastructures being integrated into customers’ existing AD forests. Whilst the threat models enabled by this should be quite familiar to anyone securing a heterogeneous Windows network, they may […]
  • The importance of logs: You won’t see what you don’t log (10/31/2018) - Presentation on logging and auditing strategies (as given at Secure South West 11). Building on my blog post on Cisco’s security blog entitled The Importance of Logs, I put together a presentation that picks apart some of the practical aspects of building a successful logging capability focusing on the need to document “good” and curate […]
  • Playback: A TLS 1.3 story (8/13/2018) - Presentation on 0-RTT in TLS 1.3 (as given at DEF CON 26 and Black Hat 2018). TLS 1.3 is the new secure communication protocol that should be already with us. One of its new features is 0-RTT (Zero Round Trip Time Resumption) that could potentially allow replay attacks. This is a known issue acknowledged by […]
  • Secrets of the motherboard (2/16/2018) - Presentation on “interesting” features of the Intel x86[_64] platform (as given at 44CON 2017). A lot of recent work has gone into the discovery, analysis, and (on occasion) marketing of hardware weaknesses in the Intel x86[_64] platform particularly with respect to how it is often implemented as part of specific motherboard designs. Some, such as […]
  • SSL/TLS Hipsterism (11/17/2017) - Presentation on finding implementation* bugs outside the mainstream (as given at Securi-Tay 2017). A lot of fantastic work has gone into the discovery, analysis, and (on occasion) marketing of SSL/TLS vulnerabilities. Some, such as BEAST and LUCKY13, are issues in the protocol itself. Other bugs, however, affect individual implementations of this complicated and nuanced protocol. […]
  • GET IN THE RING0 (9/24/2015) - Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015).
  • How many bugs can a time server have? (11/7/2014) - Presentation on vulnerabilities in the Symmetricom (Micro Semi) S350i time server (as given at EMF Camp 2014). YouTube has a recording of the presentation as given by Tim and Mike.
  • 44CON uncovered (6/21/2014) - Presentation on system level vulnerabilities (as given at BT’s SnoopCon 2014). This talk references previous presentations including: “I miss LSD“ “Big Game Hunting: Simple techniques for bug hunting on big iron UNIX“ “Breaking the Links: Exploiting the Linker“
  • I miss LSD (9/15/2013) - Presentation on system level vulnerabilities (as given at 44CON 2013). A wise man once said (paraphrased) “if you want to find UNIX bugs, compare and contrast the Linux and Solaris man pages”. Following on from my previous work on linker bugs and more recently AIX (at 44CON 2012), we’ll look at some of the more […]
  • Big Game Hunting: Simple techniques for bug hunting on big iron UNIX (9/10/2012) - Presentation on auditing and bug hunting on AIX (as given at 44CON 2012). Simple techniques for bug hunting on big iron UNIX. The talk will build on the work previously done in my “Breaking The Links” paper but will focus on AIX and associated IBM products. The talk will include some new bugs as well […]
  • Breaking the Links: Exploiting the Linker (3/27/2012) - Presentation on exploiting linkers based on my paper (as given at Uncon 0×12 and CRESTCon 2010). I am currently working on an update to the paper which will focus on other UNIX like OS with the aim of sharing some of my findings at a future conference.
  • Attacking Windows Domains (2/16/2011) - CRESTCon presentation looking at the Windows Domain Authentication model. Windows Domains use a single sign on system, authenticate to one machine, you can then use that machine to access all of your available resources accross that domain. This is great for users but also for attackers. This presentation covers a number fo techniques and tools […]
  • Introducing Heyoka: DNS Tunneling 2.0 (3/24/2009) - Slides from SOURCE Boston 2009, presenting heyoka, a new DNS tunneling tool that uses spoofed traffic to avoid detection and multiple encodings to improve speed. By Alberto Revelli and Nico Leidecker.
  • OWASP AU 2009 Slides (3/19/2009) - Slides from OWASP Appsec Australia 2009.
  • Insecure Trends in Web 2.0 Applications (10/31/2008) - Non technical talk about insecure trends in Web 2.0 applications. Explains what’s wrong with today’s Web 2.0 applications and why new comers keep repeating these.
  • Flash Security (10/31/2008) - This presentation given at RIATalks, it’s about fundamental flash security issues, attack surface of Flash and secure development. During the presentation there was stealing data through vulnerable Crossdomain.xml files, you can download source code of this file –
  • Introduction To Format Strings (6/17/2008) - A presentation introducing format string problems What? This presentation tries to cover the basics of format strings exploitation. Starting with an explanation of the legitimate use of Format Strings (Yin) moving onto how programming flaws can be exploited using this technique. Why? I spent many months getting my head around the nuances of FS exploitation […]
  • More Adventures in Format Strings (4/14/2008) - A follow up presentation to show more in-depth format string exploitation techniques. What? This presentation covers a method for exploiting format string vulnerabilities which is compared to techniques used for exploiting heap smashes. It does not not cover the basics of the vulnerability because these seem ten a panny. Why? Much work has been written […]
  • How to Detect and Exploit 99% of XSS Vulnerabilities (4/2/2008) - This presentation has given in Intercon 2007 (Portcullis’s internal conference), Talks about exploiting and identifying most common XSS vulnerabilities in real world. Examples include following types, Classic XSS Vulnerabilities In HTML Attributes In Comments In Javascript Blocks DOM Based XSS Flash Based XSS Direct Linking Presentation was heavily based on demonstration, so you need to […]
  • GUI Access Through SQL Injection (4/1/2008) - Slides presented by Alberto Revelli at OwaspDay II in Rome, 31/03/2008. They describe some SQL Injection tricks that can be used to get a full access to the DB server’s operating system. The examples are mainly focused on MS SQL Server, but the concepts are valid for other DBMS as well.

Twitter Feed