20 min read

BeerCon3 (#BC3) - Game of Pwns

BeerCon3 (#BC3) - Game of Pwns
Photo by Kane Reinholdtsen / Unsplash

In 2019, The Beer Farmers hosted BeerCon1 - a marathon event attracting many well known speakers to chat with us for charity. In 2020, in the midst of a pandemic, we hosted BeerCon2: Rise of The Rookie - giving many first time speakers their shot at the limelight.

It's 2021, and we're proud to say, we're back with BeerCon3: A Game of Pwns!


  • Date: Thursday 28th October & Friday 29th October, 2021.
  • Tickets: This is a free event but ticket "sales" let us track projected number of attendees. Tickets are available on Eventbrite: https://beercon.tv/tickets.
  • Platform: Streamed live on Twitch - https://beercon.tv/watch
    (recordings will be uploaded to YouTube post event).
  • Community: We have a discord (https://beercon.tv/discord), come say hi.

Download the full schedule as an .ics file here: https://beercon.tv/calendar


Opening address by TBF
Date: Thursday 28th October
Time (British Summer Time): 09:00 - 09:15


Speaker: Nicolas Boeckh
Talk Title: Javascript: An Appsec Perspective On The Multi-Faceted Devil That Calls The Internet Its Home
Abstract: The average user’s experience of the Internet relies on three elements: Content (HTML), Style (CSS), and Behavior (JavaScript). A great majority of modern frameworks that use a variety of languages and approaches usually boil back down to these three concepts in these three formats. Concentrating on Behavior, we will take a closer look at JavaScript, which has grown to outgrow the user’s browser, now enabling a massive ecosystem that allows the construction of API's, of games, and more. The aim for this presentation is first to give an overview of how JS works, in and out of the browser and what capabilities are there for eager or seasoned developers to take advantage of and play around with. Then, it will try to consider how an Application Security centric approach can mitigate various exploits and benefits the developer, as well as a malicious approach which would try to make use of said exploits. Finally, a special consideration will be given to the usage of obfuscation, whether it be via WTFJS style obfuscation (also known as non-alpha-numeric obfuscation) or control-flow obfuscation for example. Since these can be used on either side of the ethical boundary, whether it be to shield application logic or to make malware written in JavaScript harder to detect, it is an important component of JS’s everyday usage.
Date: Thursday 28th October
Time (British Summer Time): 09:15 - 09:45

Speaker: Will Thomas
Talk Title: Hacking-As-A-Service: Becoming An APT Is Easier Than Ever!
Abstract: In today's threat landscape, it is easier than ever to become an advanced persistent threat - all you need are the resources of a nation state. This talk will dive into the world of APTs and guide the how The Beer Farmers on how to become one. So-called mercenary APT groups are on the rise and offer high-level hacking services that leverage custom malware, 0day exploits, and the ability to evade attribution, all while remaining undetected.
Date: Thursday 28th October
Time (British Summer Time): 09:45 - 10:15

Speaker: Jurre Groenendijk
Talk Title: Reverse-Engineering Minecraft Randomness To Get World Records
Abstract: Within the Minecraft Speedrunning community, there's a ton of incredibly smart people. some of them have found a way to gain crucial info for a run out of seemingly random places. This talk will be about that feat, and a bunch of other, miscellaneous minecraft geekiness
Date: Thursday 28th October
Time (British Summer Time): 10:20 - 10:50

Speaker: Poncho
Talk Title: Hacking Is Not A Crime Advocate
Abstract: Hacking is Not a crime Organisation. It would be great for more people to know about HINAC, what they do & how to get involved.
Date: Thursday 28th October
Time (British Summer Time): 10:50 - 11:05

Speaker: Gabe Chomic
Talk Title: Cloudy With A Chance Of Misalignment
Abstract: What does the enterprise security function actually do? Most people in an organisation, even developers or SREs, usually don't know the answer (and if they do have an opinion it is seldom good).  These engineers, managers and product owners are increasingly making front-line security decisions on a day-to-day basis, decisions that enterprise security is responsible for but has neither attention for, understanding of, nor capacity to assess.
This disconnect is creating a widening gap in practice that can weaken security across the entire organisation. Enterprise security teams are starved for resource and usually cannot spare the time to keep up with.. well, everything. And at the velocity cloud enables, left-shifting/DevSecOps is easier to talk about than to do.
In this talk we will draw on the presenter's years of experience across both sides of trenches to walk you through some challenges security teams face in trying to secure the "agile world. This is distilled into a set of patterns and anti-patterns and a rough framework to help apply this learning back home.
Date: Thursday 28th October
Time (British Summer Time): 11:05 - 11:35

Speaker: Oliver Betts-Richards
Talk Title: Lessons Learned From Trying (And Failing) At User Education
Abstract: Educating users about information security is a critical step for any organisation to address the myriad challenges it faces when operating in the digital space. This presentation will discuss lessons Ive learned from educating users (our first line of defence against cyber threats) on a shoestring budget before, during, and (hopefully after) the coronavirus pandemic. It's been well documented that information security investment budgets are increasing (though it may not always feel like it is on the frontline), but educating users doesn't always sit very high on the priority list for organisations when it comes to spending that money (especially in sectors in which the money is still especially tight). This leaves the human vulnerabilities rising in severity but not getting addressed. This presentation will address this conversation by talking about the pressing need to educate our users to help us defend against cyber threats, the risks posed by not investing in education, why talking to our users like colleagues (rather than a vulnerability to be remediated) might catch on, the lessons I've learned along the way (the positives and negatives), and share some top tips (and a few things to avoid!).
Date: Thursday 28th October
Time (British Summer Time): 11:40 - 12:10

Speaker: Drew Jones
Talk Title: Mastering Blind SQL Injection
Abstract: In this talk, I will be going over how to locate Blind SQL Injection (code review via PHP, and maybe Java/.net as well) how to test the initial parameters and how to write a script to extract data from the target.
Date: Thursday 28th October
Time (British Summer Time): 12:10 - 12:40

Speaker: Joshua Moore & Dan Conn
Talk Title: Hootenanny, Live with the Beer Farmers
Information: Join us for fun and frivolity with our guest speakers Dan and Josh!
Date: Thursday 28th October
Time (British Summer Time): 12:40 - 12:55

Speaker: Ayush Priya
Talk Title: Automating Application Security
Abstract: Application Security is a field as old the security industry itself. Without software, we don't have a lot left to secure in the first place, making Application Security one of the most crucial aspect of security. That being said maintaining the traditional way of doing application security cannot keep up with the break-neck pace at which technology is marching forward. To compensate, we need to utilise our years of experience of application security and combine it with automation.
This talk is directed at people who are yet to begin automating their AppSec workflows or have just begun. The session would talk about processes that one can follow to begin their journey into security automation while doing away with manual toil. We would look at how application security has evolved over the years, how we decide what to automate and what not to, iteratively improve our automation and make robust and reliable security workflows. We would also look at demonstration for a sample automation setup with GitHub Actions.
Date: Thursday 28th October
Time (British Summer Time): 13:30 - 14:15

Speaker: Yevheniia Broshevan
Talk Title: Developing the Hacker career with the help of bug bounties
Date: Thursday 28th October
Time (British Summer Time): 14:15 - 14:45

Speaker: Shruti Chaturvedi
Talk Title: L3 Network Policy On K8S Aren't The End: Exploring Application Layer Security On K8S
Abstract: In this session, we will start by looking at K8s NetworkPolicies as a way to secure application-traffic at the port-level -a native way supported by Kubernetes. However, the default network policy definitions in Kubernetes are based on IP addresses and ports, which does not work well for dynamic environments with changing IP addresses and ports. To truly enforce least-privilege security and fine-gain access control, securing applications at the application layer is very powerful.
In this session, we will then see how adding Cilium, a custom open-source CNI plugin, which uses eBPF to communicate and maintain state, allows designing NetworkPolicies and attaching them to the application layer. This allows for a more scalable way to protect your workloads running inside container orchestration platforms. We will look at these concepts through a demo where we will see a managed Kubernetes cluster serving pods externally with network policies attached at layer 3/4 and layer 7 while understanding the key differences between these two approaches.
Date: Thursday 28th October
Time (British Summer Time): 14:50 - 15:05

Speaker: Dan Murray
Talk Title: Infosec Sucks! - And It'S Not Because Of The People
Abstract: An overview of being a "noob" in infosec, the learning curve, finding your groove (in my case CTFs and education) and then trying to get past HR barriers and the importance of networking
Date: Thursday 28th October
Time (British Summer Time): 15:05 - 15:35

Speaker: Vicky Lin
Talk Title: How I Landed A Job As Pentester In 10 Months
Abstract: Do you want to become a pentester and don't have any work experience?
Vicky did not have any pentesting experience when she decided to be a pentester. In fact, she just learned the job even existed!
Her talk entails the journey she went from zero to hero in 10 months, and what trophies you can show on your resume to stand out in a sea of candidates.
Date: Thursday 28th October
Time (British Summer Time): 15:35 - 15:50

Speaker: Ben Docherty
Talk Title: I Get By With A Little Help From My Friends
Abstract: A talk on my experience running BSidesNcl and DC44191 and how important frends and community, complete with memes and spelling mistakes.
From 2019 in a freezing skate park listening to talks on the side of a half pipe to 2020 as the only UK BSides during covid to starting a DC group with Cal, with the help and support of TBF and the rest of happy hour and a load of TMHC.
Hopefully I'll inspire others to start/grow their local community as we all grow together.
Date: Thursday 28th October
Time (British Summer Time): 15:55 - 16:25

Speaker: Kelly Lum
Talk Title: Mo Code, Mo Problems: A Slapdash Approach To Code Scanning
Abstract: You've got a lot of code in a lot of different languages. You are but one humble security engineer. How do you efficiently scan it? How do you efficiently triage results on years worth of tech debt? With Python, of course. I will demonstrate how to safely throw yourself on this grenade.
Date: Thursday 28th October
Time (British Summer Time): 16:25 - 16:55

Speaker: Stuart Coulson
Talk Title: I Fucking Love The Beer Farmers
Abstract: Why tribes should die and friends should flourish
Date: Thursday 28th October
Time (British Summer Time): 17:00 - 17:15

Speaker: Gavin Chester
Talk Title: Micro Red Team Testing
Abstract: In my prior role we started a series of tests based on the Atomic Red Team from Red Canary https://github.com/redcanaryco/atomic-red-team. The premise was simple, we know a full scale Red Team test will find problems and we know we have things in our enviroment we just can't fix for operational reasons.  However if we take threat intelligence and know the bad actors TTP's, and we know what hioles we have open, then we can overlay the threat actors TTP's onto our known holes and get an idea how much of a risk a new threat will be to the organisation.
Date: Thursday 28th October
Time (British Summer Time): 17:15 - 17:45

Speaker: Thibault Koechlin
Talk Title: CrowdSec : Participative IPs
Abstract: I would like to introduce you to crowdsec (https://github.com/crowdsecurity/crowdsec) : It is an IPS with a participative dimension, with the ambition to outnumber bad guys. Feed it logs (files, cloudwatch, journald, syslog), parse them, match them against scenario, block bad guys in a decentralized manner and share information!
Date: Thursday 28th October
Time (British Summer Time): 17:45 - 18:30

Music from: DJ Miss Jackalope
Date: Thursday 28th October
Time (British Summer Time): 18:30 - Late

Opening address by TBF
Date: Friday 29th October
Time (British Summer Time): 09:00 - 09:15

Speaker: Troy Hunt
Talk Title: Hootenanny, Live with the Beer Farmers
Information: Join us for fun and frivolity with our guest speaker Troy Hunt!
Date: Friday 29th October
Time (British Summer Time): 09:15 - 09:45

Speaker: Liam
Talk Title: The Map Is Not The Territory
Abstract: We're going to talk about systems. We're going to talk about complexity. We're going to talk about systematic complexity and it's going to be a thrill ride. Maybe.

There are three talking points:

  1. The map is not the territory.
    a. The models we hold in our heads, in documentation, in scribbled notes are not the system.
  2. The ghost of the old system continues to haunt the new.
    a. Why do we keep seeing the same things going wrong time and time again? Even when some solution looks shiny and new?
  3. What the hell are we going to do about it?
    a. I'll clarify here. I'm not going to solve anything. But you'll hopefully get a better understanding of what happens when they go wrong. To be more accurate they're always wrong to some degree and we just haven't noticed yet, or the wrong people have noticed.

Date: Friday 29th October
Time (British Summer Time): 09:45 - 10:15

Speaker: Sebastiaan Provost
Talk Title: Yeet The Leet With OSquery (Effective Threathunting Without Breaking The Bank)
Abstract: EDR/MDR/XDR is touted as the panacea, a one-stop-shop of security. However, there is no certainty on how well those solutions protect us. Companies throw money at them because they get promised complete protection. EDR solutions, no matter how expensive, still miss common techniques and payloads. This talk will show the audience how they can use the power of OSQuery to add additional monitoring to their systems in addition to keeping their EDR solutions honest. The talk will focus on detections of common command & control (C2) frameworks using OSQuery in addition to EDR.

This talk will show the audience how they can use Osquery to complement the functionality of EDR/MDR/XDR systems to improve overall security on endpoints.

After introducing the audience to Osquery, what it is and what it can be used for, I'll introduce two C2 frameworks that can be found on github and others. Payloads generated by those frameworks will be used throughout the talk as examples to show the power of Osquery and how it can be used to detect those payloads and their actions. Combined with an intro to reverse shells and how to detect them, you should have an idea on how you can start using Osquery in your own environment.

By the end of the talk, I'll give you a quick introduction on how you can setup alerting pipelines to empower yourself and/or your Security Operations team. I'll show some examples by using Splunk and Elasticsearch.
Date: Friday 29th October
Time (British Summer Time): 10:20 - 11:05

Speaker: Nick Heger
Talk Title: Rules Of Engagement: Determining A Unified Set Of Rules For Acceptable Phising Pretexts
Abstract: COVID-19 has given people a bunch of new anxieties, is it fair to exploit them? How important is no-holds-barred realism in a phishing test? Does watering down a phishing test reduce the benefit to organizations or users?

By reviewing and discussing available academic literature, we will begin by looking at the current state of malicious phishing, discuss common objectives of user training, and by combining the two topics, attempt to establish a framework by which we can determine rules of engagement for phishing testing and training.
Date: Friday 29th October
Time (British Summer Time): 11:05 - 11:20

Speaker: Pankaj Mouriya
Talk Title: Learn a few patterns, secure your applications in the cloud
Abstract: Modern applications are being deployed on cloud. In my day to day experience as a security engineer I have noticed that most applications deployed on cloud are vulnerable to security issues either due to a misconfiguration in the cloud service being used or vulnerability in the deployed application itself. These security issues could have been avoided if the applications have used the security mechanisms provided by cloud providers. In this talk we will look at cloud security services that we can leverage to protect the modern applications against common web applications vulnerability attacks. I will explain how cloud services can be mapped to OWASP Top 10 security risks.

The talk will start with mentioning some lesser known cloud security attacks and then it explains how cloud services can be mapped to OWASP Top 10 to prevent these attacks. We will look at how IAM, Data Protection, Infrastructure security and monitoring can help prevent modern applications from common web application vulnerability attacks.

By the end of this talk, the audience will have learnt a unique approach towards using cloud services when deploying their application on to the cloud. Audience will have learnt about most of the lesser known attacks and defense techniques against these cloud based applications.
Date: Friday 29th October
Time (British Summer Time): 11:20 - 11:50

Speaker: Soniya Shah Noor
Talk Title: Ryuk: The Shinigami Of The Cyber World
Abstract: This talk will be a deep dive into the mechanism of the Ryuk malware. To understand how Ryuk works once it's in the environment. How a manual malware like Ryuk can remain undetected within a system and mediums does it leverages for the spread in a network.

Since 2018, Ryuk has become a sophisticated ransomware threat, targeting companies, hospitals, government institutions, and other organizations. The organization behind the virus is renowned for lateral movement via private networks and gaining administrator access to as many computers as possible prior to starting the file encryption.

The Shinagami of the cyber world is as complex as it is mysterious. But with its intricate mechanism and clever execution style, Ryuk is a malware that you need to watch out for.
Date: Friday 29th October
Time (British Summer Time): 12:00 - 12:15

Speaker: Ben Ellis
Talk Title: Saving Face: The Challenges In Japanese Cybersecurity
Abstract: This talk will have a look at the Japanese cyber scene again however this time, we will be focussing on the challenges that are causing the scene to still be in a bad position compared to the rest of the world.

I aim to follow Han through a day of his life again although this time, we will be having a detailed look at his work life as an office worker working in a major Japanese corporation and the impact that these challenges have on the Japanese society and the corporation that Hans works for.

I will also examine what Japan has done to counter these challenges and the improvements they have made to their cyber security situation (in preparation for and running of the Olympics for example) since my last talk.
Date: Friday 29th October
Time (British Summer Time): 12:15 - 12:45

Speaker: Dave McKenzie
Talk Title: Hootenanny, Live with the Beer Farmers
Information: Join us for fun and frivolity with our guest speaker Dave McKenzie!
Date: Friday 29th October
Time (British Summer Time): 12:45 - 13:00

Speaker: Lennaert Oudshoorn
Talk Title: Divd X Zerocopter - How To Write Good RD Reports
Abstract: Talking about how to write a good RD / bug bounty report to receive a good response. Views from both reporting side (DIVD) and the side of a triage officer on a bug bounty platform.
Date: Friday 29th October
Time (British Summer Time): 13:30 - 14:00

Speaker: David Carson
Talk Title: Mental Health: The Good, The Bad And The Unobtainable
Abstract: A look at both the good and bad coping mechanisms, which may help or hinder your mental health, some warning signs to look for in others and a look at what the future of mental health treatment may look like.
Date: Friday 29th October
Time (British Summer Time): 14:00 - 14:15

Speaker: Dorian Warboys
Talk Title: Technology Enabled Care: How To Hack The Elderly
Abstract: Places like care homes and residential housing for the elderly are typically equipped with Technology Enabled Care systems. Unfortunately the current generation of these systems are incredibly insecure; some of the systems are internet-connected which opens up a plethora of problems.

In 2025 BT will shutdown the PSTN phone lines, forcing the next generation systems to all be internet-connected. This new generation of system typically uses Android tablets (with cameras enabled) inside the properties of the clients (ie: your grannies flat). Based on the track record of the security the vendors put in place should the next generation systems be trusted? Are we allowing unwanted eyes and ears into the homes of vulnerable people?
Date: Friday 29th October
Time (British Summer Time): 14:15 - 14:45

Speaker: Parker Seaman
Talk Title: Burnout Not Required
Abstract: The talk will cover the issue the tech industry has with pressuring people to make tech part of both their professional and personal life, and how such pressure can lead to burnout. Further points will be made about how we as an industry can avoid this, support each other, and so on.
Date: Friday 29th October
Time (British Summer Time): 14:45 - 15:00

Speaker: Matthew Haynes
Talk Title: Interrogate Staff To Comply
Abstract: Fact: illicit mail by passes gateways and gets in front of staff.
Fact: we need to help staff help us (Sec Prof.) spot and stop phishing attacks
Fact: security training + testing can only do so much
Q: How can we get staff onside to security programs?
In this 20 min talk, we'll explore how military style interrogation techniques can help us in the office to defend from phishing.
Date: Friday 29th October
Time (British Summer Time): 15:05 - 15:35

Speaker: Chris Spinks
Talk Title: Our Only Hope Of Innovation In Cyber Defence Is Youth, Diversity And Gender Engagement: A 'Blue'-Print
Abstract: Innovation occurs naturally in young people and yet the older generations, including those with full time cyber sector jobs, too often seek to shoe-horn those outside our 'norm' into the status quo - with mainstreamed training and certification. Standardising an approach is great but fails to capitalise on the innovative gifts of youth or the benefits of a diverse workforce. Then we wonder why the latest breach is by a 21 year old - again!! Its time to let the kids defend us, and teach us the skills with different ways of thinking on the way!
Date: Friday 29th October
Time (British Summer Time): 15:35 - 16:05

Speaker: Anne Turner
Talk Title: Write Me Some Kisses
Abstract: So, you started working in infosec due to an undying love for writing reports and smashing your head against a wall, right?
Love it or loath it, communication is the thing that gives what we do purpose. It's the connection between the things we know are important, and the rest of the world paying attention and listening to the things we have to say.
This talk goes into the weeds of writing clear, plain language reports that have impact, so you can start writing with KISSes.
Date: Friday 29th October
Time (British Summer Time): 16:05 - 16:35

Speaker: Peter Taylor
Talk Title: Hootenanny, Live with the Beer Farmers
Information: Join us for fun and frivolity with our guest speaker Peter Taylor!
Date: Friday 29th October
Time (British Summer Time): 16:40 - 16:55

Speaker: Rachel Okoji
Talk Title: AI And Cyber Security: Attack Vs Defence
Abstract: Artificial Intelligence has proven to be an invaluable element across various sectors, especially in Cyber Security. In the right hands, the ability of AI to analyze ginormous quantities of data at a time, learn, automatically detect and respond to threats based on established norms is key to developing better security solutions.
However, bad actors can also weaponize AI for scaling their attacks, discovering and exploiting vulnerabilities within a shorter window using autonomous scanning and perimeter testing, deploying more sophisticated phishing attacks with harvested information and more.
These threats can cause catastrophic and expensive damages especially since most AI-enhanced attacks can go undetected. Therefore, it is important to focus on developing AI-based cyber security tools as well as developing security solutions and policies to protect the integrity of AI systems.
Date: Friday 29th October
Time (British Summer Time): 16:55 - 17:10

Speaker: Sajeth Jonathan
Talk Title: Manipulating Through Misinformation: Deepfakes
Abstract: Misinformation is a widely combated concept that we are still struggling to reduce. Unconventional technology affects all social/demographic/cultural differently. Deepfakes can be an additional tool in an attacker's arsenal to spread fear, doubt and manipulate the general public.
The general public need to be made aware on the capabilities of Deekfakes and be educated ways they can help their community members navigate any damage brought to their mental health, dignity and lifestyle.
Are we ready to tackle the psychological and emotional distress caused by Deepfakes?
Date: Friday 29th October
Time (British Summer Time): 18:00 - 18:15

Speaker: Shahrukh Iqbal Mirza & Samuel Ferguson
Talk Title: O-My-Phish: Leveraging Office 365 And Azure For Phishing
Abstract: For the modern red team, phishing attacks have become increasingly difficult and frustrating for a variety of reasons. The time and effort required to create a solid phishing infrastructure has become less and less of a positive return on investment due to the increasing using of email-related security solutions. Whether its Microsoft Defender for Office 365 or an independent email security gateway, security solutions are stopping many phishing attacks from landing in a victim's inbox.

Luckily, there are some solutions to ease the pains of phishing infrastructure and increase the chance of a successful phish. In this talk, we'll cover how red teamers can leverage tools like Microsoft Outlook and Microsoft 365 to streamline infrastructure creation and provide some strategies that will potentially allow attackers to bypass email-related security solutions.
Date: Friday 29th October
Time (British Summer Time): 18:15 - 18:45

Speaker: Sam Ferguson
Talk Title: C2 4U - An Introduction To The Command And Control Server
Abstract: Command and Control servers, commonly known as C2 servers, are a staple when it comes to Adversary Emulation. For those on the outside looking in, you may wonder what the commotion is surrounding these tools. Are they just there to host glorified reverse shells? What does it mean when the community mentions things such as listeners, stagers, and their functionality? This talk will (hopefully) answer your questions!

During this presentation, we will utilize a tool called Powershell Empire which will showcase some functions of a C2 server. We will also touch on some considerations that need to be made when it comes to C2 architecture among some other functionality and use-cases. We will demonstrating this tool throughout the conversation (barring any technical difficulties) so you can see real world functions that are discussed in action.
Date: Friday 29th October
Time (British Summer Time): 18:45 - 19:30

Music from: Dan Sampayo
Date: Friday 29th October
Time (British Summer Time): 19:30 - Late