Jim Fenton
Consultant, Altmode Networks
Mastodon
Bluesky
Linkedin
Instagram
What’s new in SP 800-63-4
NIST SP 800-63B-4 made important changes to authentication requirements in a number of areas. New methods of account recovery have been introduced, requirements of external authenticators (including wireless authenticators) have been added, and requirements for syncable authenticators (e,g., passkeys) are now included. Incremental changes to password requriements, including the separation of locally and centrally verified passwords, have also been made. This talk will discuss the important authentication changes and summarize important changes in identity proofing and federation as well.
———-
Ragnhild Varmedal
CTO of HelseID, Norwegian Health Network
Bluesky
Linkedin
How HelseID Makes the Vendors Implement the World’s Strictest OAuth Security Profile—and Be Happy About It.
The healthcare sector is undergoing rapid digitalisation, with sensitive data being handled and exchanged. HelseID serves as a central authentication and authorisation platform for the healthcare sector in Norway. To meet high security requirements, HelseID demand vendors to follow a strict security profile—perhaps the world’s strictest OAuth security profile. But how is that possible in an ecosystem where many vendors are neither willing nor able to make changes?
———-
Michal Špaček
A hacker and a security engineer, Head of Security at Shoptet
Mastodon
Bluesky
Twitter
Linkedin
Facebook
GitHub
Password Reuse Is a Dumpster Fire – We Brought a Hose
How web app accounts are stolen nowadays and for the past 20 years and why. What “obstacles” the attackers have to bypass and what the developers and operators can do about it. We’re managing some 40k SaaS shops and see accounts being taken over, credentials being reused and users (not) using 2FA much more often than we’d like to. But luckily we also try to fight all those things and I’d like to share our stories to sort of prove and show that apps can and should go beyond “password must contain uppercase, lowercase and a number”.
———-
Rostyslav (Ross) Yevdiukhin
Senior Advisor at Semaphore Consulting Partners
Linkedin
OT Security meets reality
Author is sharing impressions after coming from Enterprise IT world into the world of OT. How OT Security is different from IT? How large companies can deal with multiple vendors? How useful are recommendations from big consulting companies and industry best practices?
———-
Ondřej Caletka
RIPE NCC
Mastodon
RPKI: the Public Key Infrastructure that makes the Internet more secure
The BGP protocol, that is used to exchange routing information on the Internet, comes with no built-in security. Any router can claim holdership of any IP address as well as modify the parameters of messages passing through it. In the past, the routing information was filtered using Internet Routing Registries, plaintext databases without thoughtful holdership checks. Resource Public Key Infrastructure is a technology supported by all five Regional Internet Registries, providing cryptographically secured registry. This can be used for Route Origin Validation, a system preventing unauthorized Autonomous System to originate a particular IP address prefix as well as
Autonomous System Provider Authorization preventing incidents known as route leaks.
———-
Luci André Knudsen
IAM Wizard @ Udelt AS
Linkedin
Bluesky
How I Learned to Stop Worrying and Love ReBAC
Most of us are used to thinking about access control in terms of roles: predefined sets of privileges assigned to subjects. But what if access could instead be determined by the relationships between people, resources, and organizations?
In this talk, we’ll explore relationship-based access control (ReBAC)—an authorization paradigm where permissions are defined through the presence of relationships rather than static role assignments. We’ll look at the theory behind ReBAC and examine how it enables intuitive and flexible modeling of complex access requirements. Finally, we’ll see why ReBAC is particularly powerful in domains like healthcare, where strict regulations demand fine-grained, context-aware access control.
———-
Jaromir Talir
CZ.NIC
FIDO for Governments
CZ.NIC is operating federated digital identity service MojeID that has been accredited by Czech government as official digital identity to access governmental services. MojeID was also notified according eIDAS for cross border access to European online services provided by Governments. MojeID embraces FIDO technology as authentication mean. Presentation will summarize how FIDO is used, what requirements are taken into account and what are obstacles in FIDO deployment on this level.
———-
Dr Ashley Sheil
Cybersecurity researcher & lecturer at Munster Technological
University
Linkedin
Perspectives on Online Privacy, Security, and Emerging
Technologies Among People with Intellectual Disabilities in Ireland
How do people with intellectual disabilities view digital
identity, generative AI tools and security and privacy online? We spoke to
individuals with intellectual disabilities in Ireland, including their supporters to
discuss exactly this.
———-
Dustin Heywood (EvilMog)
Executive Managing Hacker, Senior Technical Staff Member
Linkedin
Twitter
Bluesky
NTLMv1, MSCHAPv2, PPTP-VPN, and NTHASH Mechanics
This talk will cover the mechanics of password shucking NTLMv1(with or without ESS), MSCHAPv2, PPTP-VPN, as well as NTHASH, CT1, CT2, CT3, PT1, PT2, PT3, K1, K2, and K3 and associated tools / methodologies. This talk will also cover some interesting, not obvious implications of the protocols.
———-
Sebastien Raveau
Founding partner, Security Customer Satisfaction
LinkedIn
DNSSEC equivalent for multicast DNS: mDNSSEC
Don’t you hate it when your mesh network has MACsec to protect it from MAC address spoofing, IPsec to protect it from IP spoofing, DNSSEC to protect from unicast DNS spoofing, but nothing to protect it from multicast DNS spoofing? Introducing: mDNSSEC!
———-
Maximilian Golla
CISPA Helmholtz Center for Information Security
Linkedin
Mastodon
Measuring the Risk Password Reuse Poses for a University
Password reuse can leave organizations exposed for years. We analyzed two decades of university account data to see how deep the risk goes. By cross referencing usernames with hundreds of known breaches and cracking weak hashes, we guessed the password for 32% of the university accounts. Many of these reused passwords stayed active for years, and those appearing verbatim in breaches were almost four times more likely to be exploited than tweaked variants. Most affected users had no idea their accounts were at risk. In this talk we will share what we uncovered about long term password reuse and how any organization can deal with this ever present threat.
———-
Niels Loozekoot
Red Team Operator @ PWC
Hash Cracking Enthusiast @ HashMob Pro Team
Partner @ Lethologica.nl
Linkedin
hashmob.net/discord
Set Coverage Optimized Hashcat Rules for HashMob. A dive into applied statistics
Passwords often follow predictable transformations: capitalizing the first letter, appending a year or season, or adding symbols such as “!” or “.” — but combining these exponentially expand the keyspace. This talk presents a method for building a highly optimized wordlist–ruleset combination that maximizes plaintext recovery while minimizing duplicates and releases said ruleset. The ruleset is based on analysing 200+ existing rulesets, and cherry-picking those with the most unique results based on 10,000+ hashlists from databreaches.
Day 3 speakers (Chatham House rule day, no video, no pictures)
———–
Dr Junade Ali
Engprax Ltd
Junade.com
———-
John-André Bjørkhaug
Netsecurity
Linkedin
———-
Mateusz Chrobok
Linkedin
———-
Per Thorsheim
Founder / main organizer, PasswordsCon
Linkedin
Bluesky
Mastodon
Use, Abuse and wrong use of eID solutions
…. and more speakers & talks to be added soon!