SEC-T 2025 Stockholm Conference Notes

Last week, I attended the SEC-T security conference in Stockholm, Sweden.
At the keynote, the organizers shared a dictionary of words that best describe the last twelve months. The words being vibe coding and data sovereignty. I think they nailed it pretty well. Most of the talks were worth joining, some of them resulted in an unstructured mess called notes which you can read below.

Practical AWS Antiforensics by Santi Abastante

As the name suggests, talk was about various strategies that can be leveraged when an attacker is trying to hide his steps while compromising the AWS resources.
One interesting part was one about the security boundaries which are out of control for the blue teams, like how much time does SIEM take to ingest the logs, followed by a diagram of time delays in AWS introduced by various log shipping strategies.

Attacking and defending GitHub Actions by Simon Gerst

• Command injection vulnerabilities can be fixed by using environment variables when templating strings in commands.
• The pull_request_target is insecure. It uses the workflow file of a target branch. In a repository with many branches, some of them can be vulnerable even if the master is fixed.
• Code should be executable XOR writable. If we run tests, then store the result as an artifact and use secrets for publishing in a separate stage. You can use workflow_run to implement such logic.

The Voices Of Confession by joris

Joris presented a decentralised and distributed encrypted network that can be used for data, voice, text and whatever else as it’s basically a home grown opinionated VPN. This years presentation focused on a component called Cathedral that “help peers discover each other and is able to distribute wrapped ambries to peers when required.” The naming convention in this project made my day.

Unicode as low-level attack primitive by noraj

Lots of interesting insights about the Unicode I didn’t know I needed to be a better red teamer:

• There are Zero Width Joiner (ZWJ) sequences where the ZWJ character is placed between multiple Unicode characters (e.g. emoji) and a result is a single glyph.
• Character can have different sizes in different contexts - grapheme size vs string size vs byte size.
• Homoglyphs - similarly looking but different characters. The great example was a negation operator in an if statement was not !.
• There can be an implementation error in libraries that handle Unicode.
• Some XSS filters can be bypassed by using nfkc, nfkd normalization forms with <> characters.

Adware As a Service by Sean “4dw@r3” Juroviesky

Nice call-to-action presentation about the pervasive tactics of the advertising industry. He mentioned leveraging anger and some types of propaganda tactics to manipulate purchasing behaviour. The main novel information for me was the use of server to server user information exchanges which now complement the use of tracking cookies.

I know who your users are - abusing user enumeration for OSINT and Bug Bounty by Anton Linné

• You can use user enumeration API endpoints to get information about the people you are interested in.
• He mentioned a case where 200+ services vulnerable to enumeration are checked to find OSINT information.
• Password managers have user enumeration problems as well. You can check if the user cares about the security.
• Buy past, expired domains of a company, get users from enumeration, create catch-all emails & do password resets on 3rd party sites.
• As a countermeasure, use unique non-meaning emails for registrations - Apple and others provide those.

Inside Google’s Discovery & Remediation of a Critical CPU Vulnerability by Yousif Hussin

The talk is a nice narrative of The Tale of Google’s Response to Reptar CPU Vulnerability blog. Lots of information about the Google internal vulnerability handling process. They have a Google vulnerability coordination centre called VulnCC, a couple of teams and systems that monitor public news, do impact assessements, and coordinate remediations.

Ignition Under Fire: Exploring Cybersecurity Attack Vectors in Rocket Propulsion by Paul Coggin

• Nice use of attack trees and thread modeling in the slides.
• 3 computers in actor-judge architecture.
• Time-Triggered Ethernet.
• Space Attack Research and Tactic Analysis (SPARTA)
• Space Attacks and Countermeasures Engineering Shield (SPACE-SHIELD)

Applied Detections Bypass by int0x80

The talk was about making blue teams better. It was an interactive session which was not recorded. Speaker used Falco threat detection tool to monitor container logs, then tried to bypass detection with the help of conference attendees.
We have succeeded in reading sensitive files, searching for the SSH keys etc.
The most impressive bypass was spawned shell in a container without detection being triggered. Some guy said we should use vi via kubectl exec and then :!sh. It worked.

How to bug hotel rooms v2.0 by Dan Tentler

Dan gave the first talk on the same topic in 2019, hence v2.0. As a response to Las Vegas shooting, which resulted in a widespread room check from the hotel security, he came up with a weaponized home assistant setup which allows him to closely monitor any space he wants. It’s a bit overengineered and probably interesting for spies. Some insights:

• CO2 sensor can tell the number of people in a room.
• Mmwave sensors are cheap and can be used to peer through walls.
• He monitored Bluetooth at HackCon Oslo and revealed 5 OralB toothbrushes in a room.
• Mentioned Nzyme.

Gotcha! – How to Track Down a Drone Operator in the Heart of War by Michał Kłaput

Talk was about drones used in the Ukraine war.

• People are building their own Dji Aeroscope to detect drones.
• He used DragonOS SDR distro to find coordinates of a drone hovering next to him.

A Game of SSDLC Mistake Bingo by Hendrik Noben & Stephan Van Dyck

Talk was a bingo quiz about OWASP Software Assurance Maturity Model (SAMM). They mentioned their “real war stories”. Was sceptical about this talk based on the name, but it turned out to be quite a confirmation of my own experience.

Notes:

• They see way more security-related requests in the RFP process lately, compared to the year before.
• Customers ask for real security guarantees, not compliance for the sake of compliance.
• Avoid analysis paralysis. Do something, don’t just plan or work on tools that never are used, and don’t be stuck in the planning phase forever. Be pragmatic.
• To determine risk, ask in your company “if you have 24 hours to completely bankrupt the company, what would you do?”
• If you buy Pentest as a service, you just get an automated scanner.
• Pentesters see the same findings year after the engagement in the same company.
• Pentest and review the scope before entering the world of bug bounty.

Oops, I Hacked It Again: Tales and disclosures by Ignacio Navarro

Random Sunday hacking. Very funny presentation. He is basically living in the Burp browser. Tools he recommends:

• IP: Nmap, Shodan, Dig
• Domains: Dnsenum, Subfinder, Gobuster, Dnsdumpster
• Tech: Nuclei, Nikto, Wappalyzer
• Proxy: Caido, Zap, Burp

LLM x MCP x KALI - Building & Breaking AI Agents by Andrei Agape

Good overview of the AI agent components and how to build an agent. 5ire MCP client and mcp[cli] python library were used.

The current AI agents’ weaknesses mentioned in the talk:

• No MCP authentication nor RBAC.
• Possibility to retrieve LLM history by asking for it.
• Client prompt == tool input. Sanitize it!
• Don’t expose MCP to the internet.
• Use containers and segregation.
• Monitor the outbound traffic.

Breaking Entra: Real-World Cloud Identity Attacks You Can Recreate by Jonathan Elkabas

Non-human identity is the new perimeter. Jonathan shared 6 scenarios on how to get from the Entra user to a global admin. They have built the Entragoat tool, which is a CTF style lab deployed in the form of a vulnerable configuration to your test tenant.

There was a great ENTRA ID jungle slide with common attack paths. Many identity concepts from Azure were mentioned.

Offensive SIEM: When the Blue Team Switches Perspective by Erkan Ekici & Shanti Lindström

Two guys from the Swedish police presented how to use SIEM to proactively find vulnerabilities before the bad guys do. They have found multiple CVEs, one in Airbus infrastructure which is still under the embargo.
They shared one SIEM query per slide and the story behind it. Lots of cases of privilege escalation via user writable paths.

Talks where I have no notes:

• LLM Security Literacy by Krister Hedfors
• Offensive Security with Machine Learning: Applications and a Blockchain Case Study by Vivi Andersson & Sofia Bobadilla
• Build Your First Threat Emulation Plan by Fredrik Sandström