Speakers

Joshua Corman

Where were you 10 years ago? What did you believe? Where did you think we would be by now? How has it turned out?
10 years ago, @iamthecavalry was born - and so was BSidesLisbon. It is a moment for celebration and reflection.
Looking back equips is to look forward for the next 10 years - with more intention and affect. Changes are upon us… how will we change to meet them?

Joshua Corman is the founder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. He was formerly chief strategist of CISA’s COVID Task Force, where he advised on the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported control systems and life safety initiatives. Prior to CISA, Josh was SVP and chief security officer at PTC, where he accelerated cyber safety maturity across industries. Previously, he served as director of the Atlantic Council’s Cyber Statecraft Initiative, on the Congressional Task Force for Healthcare Industry Cybersecurity, and in leadership roles at Sonatype, Akamai, IBM, and the 451 Group.

Adrien Ogée

Nonprofits, entrusted with sensitive community data and significant fundraising, face an escalating threat from cyber adversaries. The scarcity of cybersecurity talent intensifies this challenge. In this short talk we’ll discuss successful cyberattacks against nonprofits, evaluate the ethical dimensions of hacker engagement, and delve into the world of the CyberPeace Builders—a global network of corporate volunteers dedicated to protecting nonprofits worldwide.

Adrien spent his career in various cyber crisis response roles in Thales, the French and European Cybersecurity Agencies (ANSSI and ENISA), and the World Economic Forum. At the Institute, he oversees the provision of cybersecurity assistance to vulnerable populations. Adrien holds an MEng in telecommunication and information systems, an MSc in Global Security and has an MBA.

Zezadas and David Silva

Prepare to bend the rules of time and uncover the secrets of an embedded device in a way that even the most adventurous time traveler wouldn’t even dream to explore.
In this enlightening presentation, Zezadas, a security researcher, teams up with David, a software developer, to lead you through the remarkable process of gaining root access in an unsuspecting video converter embedded device.
Witness the fusion of expertise and creative problem-solving as Zezadas and David share a step-by-step account of their exploits.
Discover firsthand that hacking embedded devices, often perceived as a daunting challenge, can be accessible, enjoyable, and, most importantly, a journey through time.
Whether you’re a security aficionado or simply curious about the intersection of technology and time-travel, this talk promises to entertain, educate, and inspire.

In this one-of-a-kind security presentation, join Zezadas and David as they journey “ Hacking Embedded Devices - From Black Box to UID 0” where hacking embedded devices takes on a new dimension.
This presentation covers the process of achieving root access on an embedded device with no prior information by combining exploits and reverse engineering techniques.
Throughout this presentation, you will learn methods to identify hardware specifications, conducting decompilation and analysis of Android Applications and Linux binaries. This acquired knowledge will be applied to uncover and exploit vulnerabilities within embedded systems.
Together, they’ll showcase that hacking embedded devices isn’t as intimidating as it may seem and that it can be an adventure worthy of a time-traveling DeLorean.
Get ready to explore the boundaries of time as Zezadas and David exploit a device misconfiguration to gain root shell access. This unique approach showcases the ingenuity of hackers who can make the past and present converge in unexpected ways.
Throughout the talk, you’ll gain valuable insights into the world of embedded device security, learning practical tips and techniques that can be applied to your own projects. Whether you’re an experienced security professional or simply intrigued by the blend of technology and time travel, this presentation promises to entertain, educate, and inspire.

Zezadas is a dedicated security researcher with a strong passion for exploring the intricacies of hardware hacking. With a wide-ranging skill set and an unyielding curiosity.
Exploring the inner workings of hardware systems brings immense joy, as it involves disassembly of devices and desoldering of chips. This hands-on approach has yielded invaluable insights into uncovering vulnerabilities and potential exploits within embedded systems.
As a committed advocate for cybersecurity education, Zezadas frequently shares knowledge and experiences at renowned cybersecurity conferences worldwide. These include events such as BsidesLisbon, BsidesBangalore, BerlinSides, AlligatorCon, WarCon, 0xOPOSEC, and many others.
Engaging across a broad spectrum of cybersecurity domains, Zezadas extends expertise to encompass web penetration testing, mobile application security assessments, and various other specialized areas.
With a genuine desire to elevate cybersecurity awareness and expertise, Zezadas remains dedicated to fostering a more secure digital world through knowledge sharing and hands-on exploration.


David Silva:
I am a Software Engineer with experience in writing code using mostly Typescript and Java.
During my professional career I worked with several frameworks such as Angular, Spring, and NestJS. I’m also experienced with Docker, Kubernetes, AWS, Google Cloud, and Azure.
I am passionate for most things related to technology and I am always willing to learn new things, particularly concerning cyber security.

Carlos Friaças

What is an hijack? What is a leak? Which technologies are already available to prevent real impact? Why do people keep on announcing IP networks that don’t belong to them or their customers?
This talk will go through some historic hijacks, and will mainly focus on cases originated in Portugal - one which is recent and low-profile, the other which lasted several years and was largely publicized when was uncovered.
While this netsec related topic is usually not on daily cybersec news, hijacks still happen everyday, even if their scope can sometimes be limited. This talk also intends to describe cases where this type of attack can be explored.
The Internet was built over confidence between multiple parties. It is widely recognized times changed, however, one of the core Internet protocols - bgp, border gateway protocol - is still greatly abused, despite all extensions and standardization efforts to improve it. The main aim of this talk is to provide the audience with awareness about routing hijacks, and how it can leverage certain types of attacks. It also intends to unveil largely insecure practices between network operators. In the scope of FIRST’s netsec-sig a proposal is being prepared to reduce the attack surface for hijackers. FIRST is the forum of incident response and security teams.

Carlos Friaças is the Head of RCTS CERT at FCCN, a Unit of FCT.
Carlos has graduated in Computer Science at the University of Lisbon in 1999.
He was a Systems Engineer at University of Lisbon from 1996 to 2000 (with a short spell at FCCN, working for the Portuguese Schools’ Network Team and the ccTLD .PT).
He managed the Portuguese Internet Exchange (Gigapix), while contributing to the Networking Team, responsible for AS1930 until late 2015. Since 2001 he manages the Local Internet Registry for FCCN.
During 15 years Carlos was involved in several European Projects, namely GÉANT, 6NET, 6DISS, 6DEPLOY and IPv6-TF-SC. Over the years Carlos has delivered IPv6 courses (around Europe and Portuguese speaking countries in Africa) and also some talks at TERENA Networking Conferences and RIPE meetings.
Since late 2015 he moved into CyberSecurity, taking a leadership role at RCTS CERT, the Portuguese R&E Network’s Computer Emergency Response Team. He was the manager of LinhaAlerta between 2016 and 2018, and represented FCCN at the INHOPE Association. Carlos was the Chairman of the Portuguese National CSIRT Network General Assembly in 2017 and 2018, and served as a member of its Executive Committee in 2021 and 2022.

Tiago Henriques aka Balgan

This talk will look at LLMs and GenAI usage in cybersecurity. What are some realistic use cases, what is a dream and reality? what works and what doesn’t? Technologies often get overhyped, is that the case with genAI and cyber security?

Artificial intelligence and natural language processing have seen immense progress in recent years, with large language models like GPT-3 demonstrating new capabilities in generating human-like text. This has led to excitement about how these advanced AI systems could be applied in various domains, including cybersecurity. However, separating the hype from reality can be challenging.
In this talk, we will take a practical look at the current state of using large language models (LLMs) and broader generative AI for cybersecurity use cases. What types of applications show real promise versus those that may be premature or impractical today? We will examine some realistic and proven use cases like automating threat analysis from OSINT sources, as well as more speculative ideas like auto-generating exploits or replacing human analysts. Understanding the true capabilities and limitations of LLMs will provide guidance on where these technologies can make an impact now versus areas that require more research and development.
Separating hype from reality is important as organizations consider investments in applying AI for cybersecurity. While LLMs enable new applications, they do not represent a magic solution. Thoughtful integration and human-machine teaming will be required to maximize the value of AI for security. By taking a critical look at the real-world challenges and barriers to adoption, this talk aims to provide a pragmatic perspective on harnessing the power of large language models to enhance cybersecurity.

Tiago Henriques, also known as Balgan, is a seasoned executive with a vast background in the tech industry, particularly in the fields of cybersecurity, cyber insurance, and data science. Currently, he is the VP of Research at Coalition, Inc., where he is responsible for building innovative risk signals for risk selection in underwriting and risk aggregation modeling. He also oversees a team of researchers in the areas of cybersecurity, software engineering, and machine learning.
Before his current role, Balgan served in various leadership positions within Coalition, Inc., including Head of Research, Director of Engineering - Security and Data Collection, and GM - Customer Security. In each of these roles, he drove innovations in risk selection, mitigation, large scale data collection, and managed diverse teams to achieve strategic objectives.
Prior to his tenure at Coalition, Inc., Balgan was the founder and CEO of BinaryEdge, a cybersecurity firm he successfully ran for over five years before it was acquired by Coalition.
Balgan holds an MSc by Research in Computer Security and Forensics from the University of Bedfordshire, and a BSc in Software Engineering from the University of Brighton.
Tiago holds a regular column on Dark Reading on the topics of cybersecurity and cyber insurance.
Beyond his professional interests, Balgan is passionate about bioinformatics, machine learning, robotics, and photography. He shares his insights and findings on these topics through his blog, balgan.world​.

Jasvir Nagra and Pedro Fortuna

This talk is a thought provoking lecture that puts the finger on one of security professionals’ most significant struggles: nobody patches fast enough. The fact is that patches take a long time to come out, they take a long time to be applied by companies, then it can break your application, or even worse, not fully fix the security issue. We’ll explain why and present the numbers. We present the use of sandboxing and isolation, combined with patching as a more effective defense strategy.
A standing premise in engineering and security is that in order to be secure you have to have all security patches applied and your software be up to date. This advice seems obviously correct but can also be the source of a lot of frustration, cost and fragility in production systems. Security patches often have to be rushed out, can be poorly tested, sometimes subtly change behavior and can cause performance, availability and even security problems to get introduced. Not only that, when vulnerabilities occur in third party systems, your ability to patch or upgrade can be dependent on a vendor or a party you don’t control.
Infrastructure as Code (IaC) and the use of containers and orchestration complicated matters by forcing patching to any part of the application or infrastructure cause a full application build. For smaller sized apps, this isn’t really relevant, but it’s a real problem for apps that take hours to build and even more to test before being able to deploy again. This can highly discourage people from patching as fast as they can.
Automated patching isn’t the answer as well, as the risk of breaking the application is too high. So, certainly, there must be another way.
What alternatives are there then? In this talk, we will argue that an alternative is to use sandboxing and isolation to limit the blast radius of exploits. We will also look at three different examples in networking, in server side rendering and a web client on how you can architecture a system using sandboxing and isolation so that while patching remains necessary, the need to rush a patch out can be mitigated.
Hopefully, this talk can help security professionals better strategize how they spend their efforts to find a balance between finding and fixing vulnerabilities and patching them - and deploying mitigation or attenuation mechanisms assuming that no one can ever aspire to be 100% secure.

Jasvir Nagra is widely recognized as a thought leader in software protection. He is co-author of Surreptitious Software, the definitive textbook on software protection, and an early researcher in obfuscation, software watermarking, and fingerprinting. With more than 12 years of experience, his professional path includes companies such as Instart, Dropbox and Google - where he led the Caja project. As an advisor to Jscrambler, he is helping cybersecurity startups address key technological challenges.

Pedro Fortuna:
Ex-academic now leads Jscrambler’s security research. More than 15 years of experience in web security, OWASP contributor, patent author & speaker at security conferences. Specializes in app & web security, reverse engineering, & software engineering.

Pedro Umbelino

SLP - Service Location Protocol, a protocol with 25 years and still lurking around the Internet. From denial-of-service amplification attacks to act as a basis for a C2 infrastructure, from transient data storage to anonymous communications, the esoteric possibilities are vast.
In this talk, we will talk about SLP and the latest vulnerability CVE-2023-29552, a protocol vulnerability which results that SLP servers can be abused to conduct reflective DoS amplification attacks. With an amplification that can go up to 2230x and a current available attack bandwidth calculated in the 10 Tb/s, it can potentially be used in a catastrophic way.
We will talk about the root cause, how it works and it’s current prevalence and distribution (vendors, sectors and geographies). We will go through the disclosure timeline and our collaboration with DHS/CISA in the process to reach out to vendors and service providers, and how almost by chance we found ourselves in a group to manage the ‘imminent’ crisis.
Then we will explore other creative use cases for abusing the SLP protocol, some that can be used for good, others not so much. This includes an active protection to deny attackers their DoS amplification, transient message boards, C&C possibilities, anonymous publications and other strange things one can do when the mind gets creative.

Pedro is a security researcher by day and Hackaday contributor by night. He started messing around with computers on a Spectrum, watched the bulletin board systems being dropped for the Internet, but still roams around in IRC. Known by the handle [kripthor], he likes all kind of hacks, hardware and software. If it’s security related even better.

Dimitrios Valsamaras

The Android operating system uses intents as its main means of exchanging information between applications. Besides messaging, file exchange is also possible by simply constructing an intent of action ACTION_SEND and using it to forward the desired file as an associated stream to another application. On the other end, the receiving app can define a filter in its manifest to inform the intent resolver to route the forwarded stream to a specific component.
While the sender application can construct an implicit intent and delegate the decision of choosing the target to the user, it is also possible to explicitly define a component of another package and by the time that this is exported, to trigger it by using an explicit intent. The latter eliminates the need of user interaction and can be initiated at any time while the sender application maintains a foreground state.
In this talk we describe an attack which exploits the case where the receiving application blindly trusts an incoming stream and proceeds with processing it without validation. The concept is similar to a file upload vulnerability of a web application. More specifically, a malicious app uses a specially crafted content provider to bear a payload which it sends to the target application. As the sender controls the content but also the name of the stream, the receiver may overwrite critical files with malicious content in case it doesn’t perform some necessary security checks. Additionally, when certain conditions apply, the receiver may also be forced to copy protected files to a public directory, setting the user’s private data at risk.

A cybersecurity professional with expertise in mobile, web, and network penetration testing. Dimitrios holds a degree in Computer Science, majoring in Cryptography and Security, and has worked with top companies like Microsoft and Google. He is frequent speaker at prominent security conferences such as BlackHat, Nullcon, Insomni’hack, and Troopers. He is passionate about reverse engineering and was a member of one of Greece’s first reverse engineering research groups.

sagie and Dekel Paz

Attackers can still steal credentials, escalate privileges, and execute code over the network using old and new techniques (from NBNS/LLMNR poisoning, Pathfinding via SharpHound, PrintNightmare, LDAP relaying, PetitPotam and the list goes on). Still, even the most advanced security products fail to prevent such attacks.
In this talk we dive into the hidden corners of Windows firewall and networking, showing how attackers bypass various networking restrictions, and how defenders can block attackers from sleuthing around using built-in mechanisms and novel techniques.
We start by examining the free, built-in tool that comes with every Windows OS – the Windows Firewall. This is an underutilized, not well understood mechanism. We show how users can better understand their firewall configuration using our OSS tool WTF-WFP.
But what about instances where you can’t put a firewall. A prime example is domain controllers that have-to-have multiple sensitive protocols and services exposed to everything. In such cases, we put a firewall anyway! We discuss some of the internal mechanisms of the RPC and LDAP services, and why built-in protections are lacking (to say the least). We explain the concepts we used to develop the RPC Firewall and – debuting - LDAP firewall, which can be used against a whole family of attacks.
Finally, we take a step back to look at the entire network. We discuss CornerShot, a technique that attackers can use to spy on another hosts’ network access without requiring any special privileges in the domain. We show how attackers use this technique to locate interesting intersections/jump-hosts in the network (to compromise) and how defenders can use CornerShot to better protect critical paths.

In this talk, we present an innovative perspective on the Windows Firewall, a seemingly outdated security tool that remains a powerful and free resource for defenders to detect and thwart various attacks. However, if misused, it becomes susceptible to circumvention by attackers. Our objective is to highlight the correct utilization of the Windows Firewall as an essential weapon in the defender’s arsenal, empowering them to prevent and detect a wide range of attacks. To achieve this, we have developed an open source tool called WTF-WFP, designed to explore the WFP architecture, troubleshoot issues, and identify potential firewall “overrides” instituted by attackers.
Moreover, we delve into the domain controller, a critical component of the network that is often vulnerable due to its exposure to multiple sensitive protocols over the network. Addressing this vulnerability, we introduce two open source tools: the RPC Firewall and the LDAP Firewall. These protective measures act as firewalls for the RPC and LDAP protocols, allowing administrators to audit and block specific requests based on configuration. Demonstrating their effectiveness, these tools have already proven capable of detecting attacks and thwarting pentesters. Throughout the presentation, we will delve into the inner workings of these tools, explain their functioning, and showcase how they can be integrated with Sigma to detect and prevent various forms of attacks.
Finally, we broaden our scope to discuss CornerShot, another one of our free and open source tools. CornerShot is a technique used by attackers to clandestinely spy on a host’s network access without requiring any special privileges within the domain. We explore how attackers exploit this technique to identify critical intersections and jump-hosts in the network, which can subsequently be compromised. However, in a defender’s hands, CornerShot becomes a potent tool to safeguard vital network paths and enhance overall network protection.

Sagie is a defensive security researcher, with over 15 years of experience. He spends most of his time developing open source tools for defenders, researching new attack techniques, and lecturing about his findings in various conferences.

Dekel Paz:
Security Researcher with over 15 years of experience in Cybersecurity and software development. I’ve been on both sides of the fence – leading Offensive and Defensive security teams in the past.
In my free time I enjoy playing my guitars, drinking specialty coffee, and have recently began indoor rock climbing.

Vitor Ventura and Edmund Brumaghin

Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
Intellexa, a conglomerate of commercial spyware creators, was born out of the alliance of existing mercenaries: Nexa Technologies, Senpai, WiSpear and Cytrox, a North Macedonian company focused on the Android platform. The spyware created by Intellexa consists of highly modular and versatile spyware, deployed via zero day attacks against a variety of victims targeted by unscrupulous state-related actors all over the world.
From the moment Cytrox was “rescued” by Intellexa, it started to revamp their suite of spyware called ALIEN/PREDATOR. Based on code analysis and OSINT, this presentation will take the audience through a time travel describing key milestones for capability building, hiring, sales pitch and finally the delivery of their solution to potential customers.
Throughout our presentations Vitor will share the fundamentals of the analyses providing the audience with insightful techniques that can be replicated in their own research, and eventually helping in the construction of timelines based on binary analysis.

Vitor will break down all major events in ALIEN and PREDATOR’s development cycle leading up to the first campaigns ever attributed to Cytrox, highlighting their operational tactics along the way.
Finally Vitor will make a high-level comparison between the ALIEN/PREDATOR tag team and the solo PREDATOR for iOS, the reasoning behind such platform specific differences while illustrating that ultimately the core and capabilities of the spyware are basically the same.

Throughout our presentations we will share the fundamentals of our analyses providing the audience with insightful techniques that can be replicated in their own research, and eventually helping in the construction of timelines based on binary analysis.

We breakdown all major events in ALIEN and PREDATOR’s development cycle leading up to the first campaigns ever attributed to Cytrox, highlighting their operational tactics along the way.
Finally we will make a high-level comparison between the ALIEN/PREDATOR tag team and the solo PREDATOR for iOS, the reasoning behind such platform specific differences while illustrating that ultimately the core and capabilities of the spyware are basically the same.

Vitor Ventura is a Cisco Talos security researcher and manager of the EMEA and Asia Outreach team. As a researcher, he investigated and published various articles on emerging threats. Most of the day Vitor is hunting for threats, reversing them but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like Labscon, VirusBulletin, NorthSec, Recon, Defcon’s Crypto and Privacy Village, BSides Lisbon, Bsides Dublin among others.
Prior to that he was IBM X-Force IRIS European manager where he was the lead responder on several high profile organizations affected by the WannaCry and NotPetya infections. Before that he did penetration testing at IBM X-Force Red, where Vitor led flagship projects like Connected Car assessments and ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds a BSc in Computer Science and multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape.

Lucas Ferreira

In today’s interconnected world, companies rely on a complex network of third-party vendors and service providers to deliver their products and services. This includes the use of Software as a Service (SaaS) applications and open-source libraries, which can provide significant benefits in terms of cost savings and scalability. However, this also introduces new risks, as attackers can target these third-party providers to gain access to a company’s systems and data.
In this presentation, we will explore the topic of incident response in cases of supply chain incidents. We will discuss what supply chain attacks are and how they can occur through the compromise of SaaS applications and vulnerabilities in open-source libraries. We will also examine real-world examples of supply chain attacks seen by Cloudflare, including the January 2022 Okta compromise, a bug in interpreting IPv4-mapped IPv6 addresses, and the Log4Shell vulnerability. We will focus on how Cloudflare responded to these incidents and show lessons learned.
We will also discuss how these incidents affect a company’s incident response team. Supply chain incidents can be particularly challenging for incident response teams because they often involve third-party vendors and service providers that may be outside of the company’s direct control.

Lucas is a highly experienced Information Security professional with a diverse professional and academic background. With over 25 years in the field, he has a wealth of experience working in various sectors, including big corporations, startups, government, and international organizations. Throughout his career, Lucas has worked across various Information Security domains, including risk assessment, network security, web and application security, cloud security, incident response, and IT and security operations. In addition to his practical expertise, Lucas has a solid academic foundation in information security and cryptography. He holds an M.Sc. degree and has completed all the requirements for a Ph.D. (unfinished) in cryptographic protocols. He has also published several papers in the field.
Lucas is a long-standing contributor and supporter of OWASP. He served as a Project Leader, Chapter Leader on two continents, and Committee Member. Lucas led the team responsible for organizing three highly successful OWASP Global Appsec Conferences in Brazil.

Paulo A. Silva and David Sopas

In the era of AI, when the time comes to look for a brand new car, we could have taken the shortcut and asked ChatGPT or Bard which one to take. But no. We need to know how seriously car manufacturers take security.
No. We won’t discuss the Euro NCAP - European New Car Assessment Programme. We will present some of the security issues we found in several car manufacturers’ online assets.
This is gonna be a street legal presentation respecting the speed limits. We will take the time to make you wonder how it is to own a Ferrari, give you a hell of a Porsche experience, and tell you how to overtake a Mercedes with style. Wait! If you’re driving other brands, we still get you covered.
Fasten your belts and join us in this talk. Driving license is not required.

Paulo is a security practitioner with a solid background in software development, who has spent the last decade focused on identifying critical vulnerabilities and breaking software. He is a long-time OWASP volunteer and co-leader of the OWASP API Security Project, where he advocates for secure API practices and contributes significantly to mitigating security risks in the API landscape.

David Sopas is an experienced security researcher with a wide range of expertise. As COO of Char49, he has played a key role in driving the company’s success. David is also a sought-after speaker, having presented at numerous conferences including Def Con, BSides, and RSA, sharing his ideas and knowledge with audiences around the world. His exceptional work includes being the creator of MindAPI - an open-source API security methodology, which has gained recognition within the industry.