Securi-Tay is an information security conference held annually at Abertay University, organised by Abertay University's Ethical Hacking Society. This year's edition will welcome a new attendance record of 500 attendees and marks the thirteenth annual Securi-Tay, the World's largest student-run information security conference.
Securi-Tay runs across three separate tracks and welcomes talks from both seasoned professionals and first-time speakers! Additionally, there are spaces available to host workshops in a separate workshop village throughout the day.
Securi-Tay's yearly CTF will take place across the 2 days prior to the conference day, to allow for all attendees to make the most of the Securi-Tay experience. Prizes will be given out to the top scoring individuals.
Securi-Tay would not be possible without the support and generosity of our sponsors; attendees will have the opportunity to network with some of our sponsors in the main exhibition space throughout the event.
This year the conference will be run on Friday 28th of February at Abertay University.
Attendees of Securi-Tay must abide by the Abertay Hackers Code of Conduct which can be found here.
Registration will be in the Old College Building. Follow the signs and volunteers to sign in and collect your free swag!
60 mins
Old College Building, Room 1001
A brief welcome and introduction to the conference.
15 mins
All Tracks
We will look at the history of Chinese geopolitics and use that to understand cyber activity, AI and other topics. Finally we will step into the future and try and understand what comes next and what skills you may need in the future !
60 mins
All Tracks
Is that really your colleague in your inbox, or just someone wearing a very convincing digital mask? In this session, we’ll break down Business Email Compromise (BEC) - One of, if not the most prolific cyber attack in today's threat landscape.
This talk will explore how cybercriminals gain initial access using phishing emails from previously compromised accounts and credential harvesting infrastructure to capture your session tokens, all in the name of cold, hard cash.
We'll show you how DFIR analysts unravel these schemes, what logs and artefacts they search for, and how businesses can shore up their defences to avoid becoming the next victim. No nation-state espionage here—just good old-fashioned greed.
We'll wrap up with recommendations to safeguard your email and, of course, answer all your burning questions about the digital Wild West that is your inbox
60 mins
Track 1
Mike has over 10 years of experience in cybersecurity, with expertise in both on-premise and remote Security Operations Centres. They have played a key role in building a remote, multi-tenant managed SOC, working with some of the most recognizable household names in the UK. Having spent several years onboarding organizations into the managed SOC service, they also developed a managed threat function, encompassing threat hunting and threat intelligence. For the past 18 months, they have focused on Digital Forensics and Incident Response (DFIR), assisting customers in recovering from cyberattacks, including ransomware and business email compromise. In their spare time, they enjoy gaming, playing titles like Minecraft, Stellaris, Crown of the Gods, and tabletop Warhammer 40k.
There are thirteen pillars upholding the critical national infrastructure (CNI) that allows for the every day running of our society. These pillars are sectors that rely on four generations of operational technology (OT) systems with the oldest generation being pre-Internet. What are these industrial control systems (ICS) that we rely on, and how are they vulnerable? This talk will outline a generic ICS from the hardware to the protocols that allow the complex systems to speak with one another. Research into these systems is often done on physical testbeds and digital twins (I don't know about you, but I wouldn't want to try hack an actual nuclear reactor). The talk will discuss the testbeds that I'm lucky enough to play with day-to-day. How are these industrial control systems vulnerable, and what can we do to protect these systems from malicious actors? Finally, how are these thirteen pillars connected? If we knock one down, will the others fall like dominos?
60 mins
Track 2
I'm a software engineering teacher and industrial cybersecurity researcher at a university in the Welsh capital. Navigating the usual shenanigans of being a doctoral candidate, while juggling the stress of being an academic staff member. I spend more time outdoors than indoors these days, ideally with a book in my hands, and I'm looking forward to getting my floppy hat!
Welcome to the wacky world of Information Stealers! They come in all shapes and sizes. We'll be discussing the rise and impact these infostealers have had globally throughout various industries and how some have met their downfall through Law Enforcement. The talk further looks into how infostealers can disguise themselves and abuse legitimate applications at the cost of the victims information.
30 mins
Track 3
I'm a CTI analyst with an interest in all things OSINT and forensics, i'm definitely not an expert in space but do like it. Loves CTFs. Gig addict. Likes connecting blocks to other blocks for that free seritonin. I read a book once, it was good and quite fond of the aul' walk or two.
My talk is about introducing the idea of using Zero knowledge proofs to secure general data communications. The approach I have come up with differs vastly from regular encryption as it is based on the idea that anything that is brute force able is unsafe so instead makes all possible answer that could be brute forced just as likely as each other making it impossible to determine the actual content of the communication.
30 mins
Track 3
I am 4th year Ethical hacking student and a member of the ethical hacking society with a love for computer networking. While at a job fair earlier this year I was asked the question if I were to remotely configure a network how would I go about doing it securely. At the time I didn't have a good answer now however my answer is the subject of my talk.
This hands-on workshop aims to give you an understanding of the security features and pitfalls of modern containerization tools like Docker and Kubernetes. We’ll cover a range of topics to build up a picture of the security options available and show practical examples of attack and defence on containerized systems.
There will be hands-on labs covering common attacks on Docker, Docker containers and Kubernetes clusters.
120 mins
Workshops
Rory is a senior researcher and advocate for Datadog who has extensive experience with Cyber security and Cloud native computing. In addition to his work as a security reviewer and architect on containerization technologies like Kubernetes and Docker he has presented at Kubecon EU and NA, as well as a number of other cloud native and security conferences. He is one of the main authors of the CIS benchmarks for Docker and Kubernetes, a published author on the topic of Cloud Native Security and member of Kubernetes SIG-Security. When he's not working, Rory can generally be found out walking and enjoying the scenery of the Scottish highlands.
Content Warning: This talk will discuss sensitive topics such as suicide, mental health and sexual violence.
In the new era of the digital world, the landscape of love, sex, and relationships has been turned upside down, presenting both new challenges and opportunities. This talk will delve into the complex dynamics of intimacy in the internet age, looking at issues such as catfishing, dating culture and tech-facilitated sexual abuse. We'll also examine the role artificial intelligence and chatbots have had in shaping romantic encounters, as well as the need for cybersecurity in protecting personal information and ensuring our personal safety.
As well as discussing these topics, we'll discover what solutions the government, social media companies, and dating platforms have in place currently and what proposed implementations are being considered such as policy changes, safety features and legislation updates.
In this talk, we'll uncover the intricacies and dangers to love and sex in an online world, including what social media and the government are doing to protect us.
60 mins
Track 1
Security Engineer @ Adarma and Abertay Alumni Interested in education of online safety Known for talking about things that no-one really talks about
How do adversaries move from discussing proof-of-concept (POC) exploits in underground forums to exploiting Common Vulnerabilities and Exposures (CVEs) in the wild? Drawing on incident response data and underground research, we’ll explore how vulnerabilities are identified, POCs are shared, and exploitation tactics evolve. Attendees will gain valuable insights into how threat actors weaponize vulnerabilities and the critical steps needed to mitigate these risks.
60 mins
Track 2
I graduated from Abertay in 2015 with a first class honours degree in Digital Forensics before starting my career in London with online gambling company Betfair. After deciding London wasn't the place for me I relocated to Edinburgh and joined Secureworks starting in the SOC before moving into Threat Hunting and then my current position as a security researcher within the Counter Threat Unit. Outside of work I spend too much time at the gym and playing death metal and recently became a Dad.
As artificial intelligence increasingly integrates into software development, emphasizing security within these practices becomes essential. This proposed talk aims to delve into comprehensive, hands-on strategies for developers and security teams, focusing on effective measures to safeguard applications while leveraging code-generation tools and machine-learning models.
Participants will explore an array of actionable techniques to identify and mitigate security vulnerabilities inherent in an AI-driven coding landscape. By fostering a collaborative environment that encourages knowledge sharing between technical and non-technical attendees, this talk will outline a detailed roadmap to enhance security protocols in contemporary development processes.
30 mins
Track 3
Helen is an accomplished cybersecurity professional with over eight years of experience in the field. She specializes in Vulnerability and Threat Management, Cloud Security, Incident Response, Risk Assessment and Impact Analysis, and the implementation of security standards such as ISO 27001 and PCI-DSS.
With a first-class degree in Computer Engineering and multiple industry-recognized certifications—including CISSP, CCSP, CISM, CRISC, ISO 27001 Lead Implementer/Lead Auditor, and CEH—Helen brings both deep technical knowledge and strategic insight to her work. Beyond her technical skills, she is a dedicated mentor, committed to inspiring and guiding the next generation of cybersecurity professionals.
Helen excels at helping organizations understand and mitigate risk, safeguarding their information assets, and ensuring robust protection against cyber threats. Her strong communication, problem-solving, and collaboration skills enable her to work effectively with cross-functional teams to create a culture of security and resilience.
A career talk for students on how to navigate the industry, making the most of your time in University, getting career ready and working at Google in general.
30 mins
Track 3
I currently work as Technical Program Manager in Capacity Planning for Google Cloud in their EMEA HQ in Dublin, Irleland. I have been with Google for 7 years, prior to which I worked as an Operations Engineer in Manchester at the BBC keeping iPlayer, News, Sports, Radio, Childrens all online 24/7. I also have a MSc from St-Andrews in Software Engineering, with a publication here in Human visual based perception of steganographic images: https://www.tandfonline.com/doi/abs/10.1080/23742917.2019.1609393 It all started at Abertay University, with an BSc in Digital Forensics, which I graduated in 2015. Would be great to come back and do an alumni talk at the University 10 years after graduating.
Understanding adversary tactics, techniques, and procedures (TTPs) can enhance both teams' capabilities, better protecting against sophisticated threats. Real-world examples and case studies will demonstrate how red team exercises aid blue teams in identifying vulnerabilities, testing incident response plans, and improving overall security posture. Attendees will gain insights into leveraging the red team mindset to think like an adversary, anticipate potential attack vectors, and proactively strengthen defenses. The talk will provide practical recommendations for fostering effective collaboration between red and blue teams, enabling them to work in harmony and maximize their collective expertise. By embracing this collaborative approach, organisations can stay ahead of the curve and better protect critical assets against ever-evolving cyber threats, leveraging the synergy between offensive and defensive security teams and their respective tools.
60 mins
Track 1
Andy is a seasoned cyber security professional with 12+ years of experience, specialising in red team operations. He's passionate about collaborative security and 'paying it forward' through mentoring and open-source contributions. Andy regularly shares his expertise on offensive and proactive security at industry events. He also volunteers at DEF CON on the security operations side, supporting the hacker community he's proud to be part of. His unique blend of technical knowledge, collaborative spirit, and creative interests brings a fresh perspective to cyber security.
This talk will delve into how cyber threat actors/groups adapt and diversify activities following regulatory disruptions such as arrests, infrastructure takedowns & sanctions. It’ll cover both immediate and long term impacts on threat landscapes that are observed by analysts.
60 mins
Track 2
I graduated abertay in 2023 in the ethical hacking course, now working full time in blue team SOC, specialising in threat intelligence currently setting up a threat intell function at The Weir Group. I've always been extremely passionate surrounding the niche of operational technology and ICS. In other aspects of my life Im interested in hiking, climbing and music! Always been a huge lover of the hacking society at abertay and securi-tay has been one of my best memories.
In the ever-evolving landscape of cybersecurity, threat actors continually seek novel methods to bypass detection mechanisms. One such technique that has gained traction recently involves the use of Scalable Vector Graphics (SVG) files. This talk will delve into the mechanics of SVG files and how their unique properties are being exploited for initial access in cyber attacks. We'll explore real-world case studies that highlight the versatility and effectiveness of SVG-based threats.
30 mins
Track 3
I am a senior security analyst with over 4 years of experience in incident response & helping companies mature their defensive cyber capabilities. In my spare time I like to work on DIY projects & play video games.
ATM jackpotting is a sophisticated form of cybercrime where attackers use malicious software or hardware on ATMs to force them to dispense large amounts of cash on demand. This talk will explore the evolution of ATM jackpotting and go through some of the primary techniques used by criminals. Participants will gain insights into the methods used by cybercriminals to access and control ATMs, and we will discuss best practices and strategies for protecting ATMs from jackpotting and ensuring the security of funds.
30 mins
Track 3
Aldrin Baretto : SW Product Manager at NCR Atleos for enterprise security and ATM 3rd Party software. Recent BSc Hons graduate from University of Dundee in Computing Science.
Derek Henderson : Senior Product Manager for Software Security at NCR Atleos with 30+ years experience in the ATM industry. Holds a BSc Hons in Computing Science from Glasgow University and MBA from Strathclyde University.
You're in. You’ve got root. You need exfiltrate…stuff… without anyone knowing what’s going out but the only tools you have are a Linux command line and C /C++compiler. How would you implement and use a one-time pad with XOR encryption? How short (and memorable) can you make your program to do this? This workshop is your chance to try it and then discuss how we tackle it.
120 mins
Workshops
7 years of cutting code in hospitals and BNFL Sellafield. 30 years of trying to pass on wisdom to students. Wait….. what wisdom?
A talk on the general methodology for Malware analysis, aiming to give the listener a basic understanding to prevent any confusion, and how AI alongside automation can be used to bypass some of the more tedious aspects and gain further clarity into the findings. I aim to create a secure solution to deliver automated findings to the investigator from the sandbox, and demonstrate how its sped my analysis on some interesting malware samples.
60 mins
Track 1
Former Abertay Ethical Hacker, studying between 2017 and 2021, loved my time but always wished I had given a talk at Hacksoc or Securitay.
I went on to study a Masters of Cybersecurity at Asia Pacific University in Kuala Lumpur, Malaysia, where I helped with the Hacking society there, had a ton of fun, and made a lot of memories.
Currently working as a SOC analyst at Adarma in Edinburgh, its such a fun job and learning a ton. I've been studying and completing a few certs in my time, such as the TCM security Malware Analysis certification, and given a talk at my old school about Cybersecurity to get the next generation keen.
Otherwise, I am really into Baking/Cooking, love to Hike, and play some sports like tennis/golf.
At Pwn2Own 2023, the Zero Day Initiative introduced a new category, surveillance. This talk details how Interrupt Labs identified and exploited a vulnerability allowing us to achieve remote code execution on the Synology BC500 from a network adjacent perspective.
60 mins
Track 2
Ben is an Android vulnerability researcher at Interrupt Labs with experience in Linux, Android, and embedded platforms.
This 30-minute talk dives into the practical execution of chaos engineering through 'gamedays', structured events where teams intentionally simulate failures in their systems to identify and address weaknesses. Contrary to its playful name, a gameday is a focused, collaborative, and strategic event. We'll explore key aspects of planning and executing gamedays: from choosing the right applications and environments, to defining steady states and executing targeted and controlled chaos experiments.
Attendees will learn how Datadog plans gamedays and selects gameday participants based on our system environment, agrees on steady-state definitions, and gradually scales from small latency injections to full-scale events. The session also covers how we use observability tooling for live insights and incident management, highlighting the importance of automation, transparency, and a holistic view for effective execution. By embracing chaos engineering through gamedays, teams can proactively identify system gaps, build resilience, and foster valuable cross-team learning.
30 mins
Track 3
Aspired to protect large-scaled systems and engineering organizations against the downside of unexpected failures, and the lack of graceful degradation, I am leading a Chaos Engineering team to build tooling to safely inject failures at scale, and facilitate gamedays to validate resilience hypothesis against reality.
Industrial Control Systems have become a critical pain point in the national infrastructure of any state. This talk specifically talks about how industrial control system cybersecurity has been important and the evolution of attacks on Operational technology cybersecurity in an era of cyberwarfare.
30 mins
Track 3
I'm Nithika in short Nik, I am a 3rd Year student in Computing at Abertay University. I am passionate about industrial control systems in the tech industry. Also, I'm a fan of web exploitation and malware analysis.
TLP:AMBER STRICT - A dive into the investigation of Bumblebee C2 framework, the importance of industry collaboration, reversing the DGA domains and smoking out the new Hive!
60 mins
Track 1
A highly skilled and experienced national and international Cyber investigation and Threat Intelligence specialist with over 15 years experience from the public and private sector. Loves complex puzzles, lock picking and life long learner!
In today's rapidly evolving cloud landscape, organisations are increasingly adopting microservices and Kubernetes to drive innovation and scalability. In this talk, I will share my experiences deploying 34 microservices to Kubernetes at Aize, highlighting the challenges and successes encountered along the way. We’ll explore effective strategies for maintaining Kubernetes security while empowering developers to debug incidents efficiently, ensuring that security does not hinder productivity. Additionally, I will discuss best practices for securing CI/CD pipelines, focusing on minimising vulnerabilities during deployment to safeguard live environments. Join me as we navigate the complexities of achieving SaaS-tainable security in a Kubernetes world.
60 mins
Track 2
I'm Hannah I graduated Abertay in 2022 and since then have worked at a SaaS company called Aize, where we create digital twins of oil and gas assets to improve operational insights and drive efficiency. I have been DevOps Engineer at Aize for over 2.5 years, where I focused on optimising deployment processes and enhancing operational efficiency. This includes deploying our microservices to Kubernetes using Flux, and writing and designing our CI/CD pipelines. I’m now transitioning into a role as a Cloud Platform Security Engineer. I’m passionate about securing cloud environments and ensuring robust security practices, and I’m excited to share my insights on balancing usability and security in modern cloud infrastructures.
Join me, as I roll back the years and take you on a whistle stop tour of the evolution of malware. We'll begin at the inception of malware in 1971, and cover malware cases from years gone by before finally reaching where we are now. By the end of the presentation, I hope to have explained the changes in malware from 1971 all the way up to malware today.
30 mins
Track 3
I am a third year Ethical Hacking student at Abertay University with a strong interest in digital forensics. I am a member of the Ethical Hacking Society where I have delivered multiple presentations on various topics, and I have been a Securi-Tay volunteer every year since I started at Abertay. This year, I created some of the CTFs for this years conference. Outside of University, I play darts and am a keen amateur musician.
In the world of cybersecurity, we often focus on traditional defense mechanisms, but the truth is, attackers may not even need to directly hack into your device to steal sensitive information—they might just be listening in. From the subtle sounds of keypresses to the vibrations of your phone, side-channel attacks exploit the very data we unknowingly leak through seemingly innocent actions. In this talk, we'll explore the fascinating realm of user input side-channel attacks, delving into the acoustic, motion, vibration, visual, and Wi-Fi Channel-State-Information methods used by attackers to eavesdrop on everything from emails and passwords to PINs. We will discuss these different mediums for such a side-channel attack and then we'll dive into my work, which recovers typed passphrases via the acoustic side-channel using machine learning and dictionary attacks. Get ready to hear the sound of security—it’s not as quiet as you think.
30 mins
Track 3
I’m a Master's student in Applied Research in Engineering Sciences at OTH Amberg-Weiden, where I also work on a research project for IDS focused on industrial systems. My bachelor’s degree is in Artificial Intelligence, and I have a strong interest in Cybersecurity and AI.
The world of cyber security is an exciting one, with plenty of unique pathways to take. However, there's no one-size-fits-all approach to breaking into this field. This talk challenges the notion of a singular 'ideal' cybersecurity career path. We'll dissect common myths, and, most importantly, help you discover your unique strengths and how they align with different roles. We'll provide actionable strategies for building up relevant experience and showcasing your individual talents to potential employers. Your journey into cybersecurity is unique – let's find your attack vector.
60 mins
All Tracks
Miłosz Gaczkowski is a mobile security specialist at WithSecure Consulting, having previously spent entirely too much time working in academia. His work and interests revolve around Mobile Application Management solutions, Internet of Things devices, and complaining about password managers. Outside of technical work, his primary interests are in education and the culture of education.
Mohit Gupta is a Principal Consultant at WithSecure Consulting, where he specialises in AWS and Kubernetes, and is the technical lead for all things orchestration. He has previously spoken at fwd:cloudsec, Steelcon, Def Con Cloud Village and the Texas Cyber Summit
A few words to conclude the day and thank everyone who made it possible
15 mins
All Tracks
Sponsored by WithSecure Consulting, join us for a few drinks and lots of awesome chat!
???
The Barrelman
Registration will be in the Old College Building. Follow the signs and volunteers to sign in and collect your free swag!
60 mins
Old College Building, Room 1001
The University's address is Bell Street, Dundee, Scotland, DD1 1HG.
The closest train station is Dundee Station.
The closest airports are Dundee Airport and Edinburgh Airport.
If you are driving, the closest parking lot is the multi-story Wellgate Centre Car Park
Created by Abertay University Ethical Hacking Society
Abertay University Students' Association is a charity registered in Scotland, no: SC036647