Panel talk with real-world examples from this year's CFP (sanitized, of course, and presented without making anyone feel bad about their submission.)
Topics include:
- Making sure the talk is applicable to the conference you're submitting to
- Selling yourself and your talk
- How to NOT sound like a vendor pitch
- WRITE. AN. OUTLINE.
- Submit one or two REALLY GOOD talks - don't "spray and pray" your entire back pocket of topics into a single CFP
Read More
Offensive forensics is the concept of using forensics technique to find secrets or other valuable data to further attack paths. Offensive security tools such as Mimikatz that employ strong forensics and reverse engineering techniques have proven invaluable in red teaming and penetration testing.
This talk will discuss finding the golden nuggets in .NET dumps using existing tools and provide scenarios in which exercising forensic skills can be a game-changer in offensive security operations. Additionally, this talk will demonstrate Turdshovel, a tool for quickly analyzing .NET dumps for objects of interest.
So go ahead, fam. Take a huge dump.
Read More
As individuals and companies look for ways to save money, cloud providers incentivize choosing their service over others. Unless they are demoing a security project, security isn't a forethought until an incident happens. Free cloud tiers are the focus, as there may not be money invested by the individual/organization, especially in something like a project demo. There are two simulated threats, so we cover what artifacts are generated, and opinions on the ease and quality of the information.
Read More
For some people, trying to figure out if you’re being followed is a matter of physical safety for themselves or others. In this talk we’ll discuss a methodology for using low cost, off the shelf parts and some adequate python code to help determine if you’re being followed by analyzing wireless signals nearby.
We’ll cover methodology and best practices as well as challenges encountered during development and field testing. We’ll release the code so anyone who wants to build their own easily can, likely with parts they already have laying around.
Read More
I'll be going over how to reverse engineer dll files in the windows space. We'll cover common vulnerabilities, loading dll files, intrinsics, exported functions, loading orders, dynamic loading vs static loading.
Read More
3.5 million open cybersecurity positions globally and 300,000+ in the US. It is expected that the gap between qualified security experts and unfilled positions will continue to widen leading to critical security risks. Additionally, nation states are integrating AI/ML into cybersecurity curriculum faster than US Schools. There is a disconnect between HR and corporate expectations for “entry level” cybersecurity professionals for both competencies, experience, and pay at odds with the realities of the workforce. So how we do we create a cybersecurity talent pipeline to improve security within our communities, organizations, and the nation?
Read More
Working as a security analyst is a popular way to start a career in infosec, are you considering this path? Join the presenter as she recounts her first year working as an analyst and what it takes to survive and thrive in a SOC. When it comes to being on the front lines protecting networks, some lessons are learned the hard way. This talk is full of the things she wish she knew when she started.
Read More
4 Feb 2022 3:30 PM - 4:00 PM
In today's world, we have a modern and stable web application framework to develop on. That is already so much secured from the attacks, regardless of the OS. If you design the system properly, attacker cannot injection the system. Or attacker cannot attack the website with common attacks like XSS, CSRF, SSRF, SSTI, etc.
On the other hand, we have sophisticated scanners which scan the website dynamically with the interactive logins as well, it scans the website along with the internal pages. And we have secure coding practices as well along with the scanners which can scan the source code regardless of the programming language. They are necessary tools while developing a secure application.
But what all these are missing is "Business Logic Flaws", which are the reason for the highest-paid bounties on Hackerone, bugcrowd, etc. Business Logic Flaws are the attacks, which neither the source-code analysis tool nor dynamic web application scanner can detect.
The presentation/talk will discuss vulnerabilities that can arise from business logic flaws which can affect confidentiality, integrity & availability of customers' information as well as the product that is connected with the application. We will discuss CVE-2019-2823 - Oracle Financial Services along with other 2FA bypasses in Financial Mobile Applications. Where I was able to do vertical privilege escalation in regards to roles, checker, maker, etc. modules. These were critical findings that were used in financial information systems. On which APTs are attacking day and night.
This will also discuss the poor coding practices that were used in the application and negligence of built-in secure software development life cycle. This not just limits to data exposure but anyone can alter the data as well and can view which is not allowed to them.
The majority of the banks use this Oracle service in the world. There are a lot of similar bugs in the world right now as well, in regards to Business Logic Flaws. We have to enhance the testing skills rather than depending on the scanners, manual testing approach to test the use cases will be a good approach.
Read More
COVID-19 has impacted all of us in some form. For social engineers and I, COVID-19 impacted the way we perform social engineering assessments. In this talk I will discuss how my social engineering assessments were impacted with the rise of COVID-19, how my pretexts were modified to focus on COVID-19 (in an ethical manner), and what I learned from them.
With the mandatory (and life changing) switch to remote work. Employees more than ever began to rely on both emails and their phones as a means for communication. This introduced a gigantic opportunity for attackers to target the weakest link of an organization, the employee. This also meant that to stay current and up to date with the latest attacks, many social engineers, including myself tailored their campaigns to include COVID-19 as a pretext. This also meant that employees were significantly more likely to engage with my emails or phone calls because it became ‘the norm’. Furthermore, several of the employees I called were so thankful just to speak to someone that they were more than willing to ‘assist me with my technical issues’. In the body of the talk, I want to present multiple pretexts, results, and stories of my experiences from phishing and vishing through the pandemic to provide some insight as to how it introduced vulnerabilities to my clients.
COVID-19 has shone a light on many organizations security posture. More than ever, company’s need to be educating their users on cybersecurity threats and involving them with the security team. Security is a group effort, and it is our job as consultants, social engineers, and supports of the InfoSec community to educate those around us on social engineering attacks such as those demonstrated throughout my talk.
Read More
In this session, two tech writers who roasted the worst tech reporting of 2019 and 2020 are back on the grill to discuss...the worst tech reporting of 2021! This year we’ve broken down the top media fails into four cardinal sins: not reading or understanding a company’s privacy policy/terms of use, taking press releases at face value, being unclear about relevant details, and relying on sources without domain expertise. But this bleeds into the tech sector as well: before journalists misrepresent a company privacy policy, the company itself often misleads its own users (by error or by design). And who is responsible for writing those press releases that sometimes get parroted in the first place? We’ll see what we can learn from the year’s biggest fails, and how journalists and hackers can work together to make security reporting suck a little bit less in 2022.
Read More
In the CTI space, there’s a steady drumbeat repeating a mantra: security teams cannot successfully and sustainably operate in an intelligence silo. This feeds continuous discourse around how developing cross-boundary collaborations in intelligence sharing, standardization, and reporting are key to proactive defense, collective resilience, coordinated response, and effective remediation during an active attack. Of course!
Yet, the enormity - and complexity - of it all feels insurmountable when considering how CTI professionals can most effectively network and share intelligence *today*. So what’s really going on at the individual level?
This presentation shines a light on the human aspect of today’s CTI sharing practices via networks - both formal and informal, public and private. The session lays out the landscape of popular channels for CTI networking following peer-to-peer, peer-to-hub, and hybrid models; previous research and ongoing efforts to enhance CTI sharing by public-private groups; and well-known blockers (hello, legal approvals!) to effective networking. Survey insights add depth to this foundation by benchmarking real practitioner behaviors and attitudes. We seek answers like: how do good old-fashioned 1-to-1 ‘DMs’ compare to invite-only Discords, paid industry memberships, or national sharing initiatives? What real-world networking experiences actually prevented an attack?
Read More
The scammer epidemic is ever-present in our connected world and shows no sign of slowing down anytime soon. Our team is currently researching infrastructures commonly used by scammers and creating our own malware to hack in and monitor scammers without their knowledge, allowing us to preemptively warn victims and gather enough intel to report the scammers.
In this talk, we'll break down our approach to a project of this scale as students, along with the progress we have made and lessons we've learned. Join us for a dive into the world of scams, malware, and ethical hacking!
Read More
Nowadays when you read about cybersecurity, you’re almost sure to see something that mentions machine learning (ML) as the silver bullet to solve all problems cyber. Of course, ML isn’t the cyber cure-all, and indeed suffers from its own non-cyber problems – chiefly that ML bring with it its own set of vulnerabilities and weaknesses, often termed “adversarial ML.” These weak points range from leaking private data that the model was trained on to being easily evadable given the right motivation and context.
In this talk, we’ll go through our own experiences leveraging ML to try to build and defend a robust malware detector as part of our submission to the 2021 Machine Learning Security Evasion Competition. Our talk will start by first going over the background on adversarial ML, followed by how we used these ideas to generate adversarial malware variants that we then built our model from. We’ll then shift gears to how we sought to “defend” this model by explicitly attacking the models submitted by the other participants, walking through how we trained a proxy ML model and staged attacks against it.
In the end, our submission took third place in the competition, outperforming some but not all of the contestants. However, our journey helped expose many lessons learned for others looking to get into the space, as well as for those already practicing in it. Attendees of this talk should walk away with an understanding of those lessons, including pointers to resources they can use to build their own models – including the open-source code and the data behind our submission.
Read More