The Diana Initiative 2022 Hybrid Convention

Date & Time: Saturday, July 16th [VIRTUAL](8:00 AM — 6:00 PM PST) — Saturday-Sunday, August 10th (8:00AM — 8:00PM EST) & August 11th(8:00AM — 6:00PM PST)

Location: Westin Las Vegas Hotel & Spa (160 E Flamingo Road,
Las Vegas, NV 89109
)

Website: https://www.dianainitiative.org/

Tickets: https://www.eventbrite.com/e/the-diana-initiative-2022-tickets-84434470775

Virtual Platform(s): Zoom (Workshops) & YouTube (Talks)

Scheduel: https://www.dianainitiative.org/event/2022-schedule/

Live Streams:

YouTube: https://www.youtube.com/c/TheDianaInitiative

Virtual Chat: Zoom Chat

Affordability: The Diana Initiative 2022 is FREE to attend Virtually (Talks Only, No Villages). It costs $30 to attend In-Person both days which includes workshops. Students and Veterans can get In-Person tickets for FREE after verification. In-Person tickets comes with Virtual passes. You can also email them for reduced cost tickets if you are unemployed/underemployed.

Code Of Conduct: https://www.dianainitiative.org/about/policies/

A diversity-driven conference committed to helping all underrepresented people in Information Security. The Diana Initiative features multiple speaker tracks, villages with hands-on workshops, and a Capture the Flag event.

Back for the 6th year,​ The Diana Initiative​ is hosting a two-day diversity-driven conference committed to helping all underrepresented genders, sexualities, races and cultures in Information Security. The Diana Initiative features multiple speaker tracks, fully expanded villages with hands-on workshops, and a women-led Capture the Flag event.

This year our theme is “Take the Initiative.” Our discussions will focus on impactful ways large and small that each of us can advance information security, diversity initiatives, and ourselves, both professionally and personally — whether gender, race, sexuality, skill level and neurodiversity.

Originally known as TiaraCon, this matured and harden version of the original concept has evolved so much over time that it has emerged from DEF CON’s shadow and has grown into it’s own thing. As a group that is made up and led by various minorities on the fringes of society (even for New Jersey standards), we completely understand the need and creation of a space to discuss issues in a demographic of technology-minded people. If you identify as a woman, an ally or want to learn amazing technology skills while getting a broader social impact picture, this convention is for you.

WAIT…I JUST CAME FROM THE TOORCAMP & A NEW HOPE GUIDE. THIS IS THE TENTH GUIDE! WHY ARE YOU POSTING THIS NOW!?

No your eyes aren’t deceiving you. We decided to start The Diana Initiative​ guide early due to how it’s structured this year.

2022 events will take place on

  • July 16, 2022 Virtual Event

AND

  • August 10–11, 2022 In-Person at The Westin Las Vegas Hotel & Spa

Therefore the current version of this guide will only cover the Virtual section of the convention and will be completed at a later date to include the In-Person content!

HOW TO INTERACT VIRTUALLY FOR DIANA INITIATIVE WITHOUT LOOKING LIKE A SCRUB

Virtual Event CTF

HOURS: The game will run July 16, 2022–9:30am — 5:30pm pacific.

Our Virtual event CTF is brought to you by Just Hacking Games CTF

They have lots to offer players of all backgrounds and levels!

The CTF is password-protected, once you have your ticket you will be invited to our discord and the password will be available once the game starts.

The CTF can be played as a team or an individual.

There will be prizes to be won for the top 3 teams, donated by our wonderful sponsors!

Virtual CTF Committee

Chair: John Hammond

Co-Chair: Caleb Stewart

Prizes:

6-month pass

3-month pass

1-month pass

10 ebook vouchers

Hosting Sponsor: https://google.com

Hybrid (In-Person and online) CTF

Hours: 9a-5p August 10, 9a-4p August 11

Our Hybrid event CTF is brought to you by Carnegie Mellon University (CMU) and is hosted on picoCTF

They have lots to offer players of all backgrounds and levels!

The CTF is password-protected, you will need to stop in the CTF room to get the password once the game starts.

The game will run for both days August 10–11, 2022 (times still TBD).

The CTF can be played as a team or an individual. Teams can be up to three members.

There will be prizes to be won for the top 3 teams, donated by our wonderful sponsors!

There will be NO WiFi at the event, so be sure to bring a compatible device or a ethernet (cat5) adapter.

Virtual CTF Committee

Chair: Hanan Hibshi

Student Leads: Yuwei Li , Suma Thota, Palash Oswal

Student CTF Staffers: Asparsh Kumar

Challenge Team: TBD

Prizes:

1 Year VIP+
50GBP Swagcard
3 Month Prolab
3 Month VIP
1 Month VIP+
500 Academy Cubes

Career Village

Career Village will offer advice and resources below for building both your professional career and yourself. These life skills can help you keep your professional career alive and healthy! These available services will be offered during and around talks about personal development during the conference.

  • Panel presentations
  • Resume Reviews
  • Mock Interviews

Hours

16 July 2022

10 Aug 2022

  • 0930–1230 Mock interviews/Resume Reviews/Career Coaching
  • 1300–1330 — Lunch break
  • 2–4pm Mock interviews/Resume Reviews/Career Coaching
  • 4–5 PM — In person Career Village Panel — “The Hiring Side”

11 AUG 2022

  • 0930–1230 Mock interviews/Resume Reviews/Career Coaching
  • 1300–1330 — Lunch break
  • 2–4pm Mock interviews/Resume Reviews/Career Coaching

Candidate resources

Resume templates, salary information, and other resources.

Lockpick Village

Virtual Event

Lockpick Extreme will again be hosting remote Lock Picking Workshops during the conference this year.

[Buy your Lockpick kit and workshop pass — Registration will close on Sunday, July 10th.]

That’s right — learn to pick from the comfort of your home!

Registration is required and is an additional fee (in addition to your TDI ticket) that is paid directly to the workshop organizer Lockpick Extreme.

Purchase this workshop: [on their website]

Date: Saturday, July 16, 2022
Place: Online Video Conference Call System — Details of our online learning space will be sent you to after registration and before the event begins.
Time: Sessions available at 9am Pacific (UTC-7).

Important Details:

  • This purchase includes access to the remote workshop as well as your selection of either the Classroom Set or Premium Lockpick Training Kit.
  • For this session, we require the purchase of either the Classroom Set or Premium Lockpick Training Kit.
  • A webcam and microphone are required for participation. We understand that some may be shy to show their face or surroundings.
  • To provide you with the best experience and feedback to grow your lockpicking skills, it is best if we can see what you are doing. If you would prefer, we suggest setting up your camera in a way that only shows your hands so we can still provide you with picking guidance.
  • After you purchase this item, you will be contacted via the email used at checkout about details on how to join the workshop event.
  • Shipping is limited to U.S. Domestic address. (Sorry, we are unable to ship to AFO/FPO addresses).
  • The last day to register is July 10, 2022 or when sold out. This is required so that they can ship your Workshop Kit in time.This purchase includes access to the remote workshop as well as your selection of either the Classroom Set or Premium Lockpick Training Kit.

Maker Village

Virtual Event

  • 10am PDT Tinkercad Circuits
  • 11am PDT Soldering Demo 1
  • 12PM PDT EasyEDA
  • 1pm PDT Soldering demo 2
  • 3pm PDT Soldering Demo 3
  • 4pm Soldering Demo 1

Things to do in the village

  • Learn to solder
  • “Stitch & Bi**H” hangout area
  • Sticker exchange table
  • Electronic Badge upgrade [purchase DIY electronic badge kit]
  • Surface Mounted Device (SMD) workshop
  • Two classes of 25 using a custom kit for a small fee [purchase a kit]
  • You MUST buy your workshop kit in advance, and for the day you plan to attend.
  • After the event if there are kits left we will sell them with the option to ship, but not until after the final class

Internet-Of-Things (IOT) Village

Check out the hands-on hacking labs at IoT Village! IoT Hacking 101 is a set of quick, hands-on labs developed to teach the tools and techniques for discovering and exploiting some of the common weaknesses found in IoT devices today.

Whether you’re a penetration tester that has never hacked IoT devices or even someone that has never hacked anything(!), these self-guided labs will walk you through all the steps from analyzing router firmware, finding hidden backdoors, enumerating devices and performing remote exploits.

Students work at their own pace following our IoT Hacking 101 guides, and instructors are on hand to provide assistance as needed and answer any questions.

NOTE: The IoT website appears DOWN until the conference.

Games Night

Virtual Event

7:00–9:00pm Pacific (UTC-7) https://greenwichmeantime.com/time/to/pacific-local/

  • There will be a games channels in our discord for people to self organize into groups to play free games! We have started [a list of free games] to give people ideas.
  • There will be a RPG (D&D style) game 6:30–9:30 — Come join John the Game Master for a ~3 hour D&D adventure into Brookeville and solve the mysteries of the small farming community. Open to experienced or new folks. We will use pre-generated 3rd level characters and online mechanics, but it will be a story heavy gaming session to minimize confusing rules. SIGN UP IS REQUIRED — watch your eventbrite emails ~48 hours before the event.

In-Person Event

Stop on by 7:00–9:00pm Pacific (UTC-7) https://greenwichmeantime.com/time/to/pacific-local/ on Wednesday August 10, 2022 for Games Night!

  • We’ll have an assortment of board games for everyone borrow and play.
  • For example; Ticket to Ride, Cthulu Fluxx, Conspiracy theory, card decks, and more!
  • There will be a RPG (D&D style) game Come join John the Game Master for a ~3 hour D&D adventure into Brookeville and solve the mysteries of the small farming community. Open to experienced or new folks. We will use pre-generated 3rd level characters and online mechanics, but it will be a story heavy gaming session to minimize confusing rules. SIGN UP IS REQUIRED — watch your eventbrite emails ~48 hours before the event.
  • If we get some trusted moderator volunteers for games night we can also offer it to virtual attendees! (people to self organize into groups to play free games! We have started [a list of free games] to give people ideas.)

Student Scholarships 2022

Information Security is a constantly changing and evolving field. One of the best ways for us as a community to support those up-and-coming into our industry is to encourage students to attend InfoSec conferences, in this case “Hacker Summer Camp” (BlackHat, BSidesLV, Narwhal.be, Diana Initiative, Queercon, Def Con).

We can’t make these Scholarships happen without your help. If you would like to donate toward enabling a deserving student to attend Hacker Summer Camp, please complete the donation form below. Everything donated through this form will go to Scholarship Winners.

For our second scholarship year, our goal is to raise at least $4,000 for 5 students. This should enable a student to cover hotel room, food, and some travel expenses in order to attend Black Hat, The Diana Initiative and potentially other hacker summer camp activities. We understand that depending on the origin of the student this may not cover all their expenses, so if we beat our goal we would love to increase the amount we award each student so that they get to experience Black Hat, The Diana Initiative, learn to solder, career village, connect with mentors in the InfoSec community, take part in a Capture the Flag competition, and possibly find their niche in this field without hurting their budget.

Scholarship Details

Scholarships include:

  1. One (1) entry badge for The Diana Initiative 2022 (Virtual July 16 and In-Person Aug 10–11)
  2. DFRWS Virtual Conference Badge (July 11, 2022 to July 14, 2022)
  3. One entry badge for Black Hat (donated by Informa PLC)
  4. DefCon 30 Badge
  5. Check for 1/5th of the amount raised
  6. We are hoping to announce additional benefits soon!

If your organization or event would like to donate tickets or other in-kind items that are not cash, please reach out.

Depending on the amount raised and your personal circumstances scholarships MAY NOT cover all travel costs to/from Las Vegas, NV; meals; or any additional funds or benefits.

Scholarships are available to all students, regardless of race, gender, orientation, nationality, residence, or current education program.

In order to qualify for a Student Scholarship to The Diana Initiative, applicants must be a student (high school, college, university, or certificate program) with an interest in Information Security.

Applicants under 18 years old, if selected to receive a Scholarship, will be required to provide their legal guardians’ contact information, as the guardian will be required to agree to all the conditions. In addition, the guardian will need to accompany and be held responsible for the under-18 Scholarship winner. The guardian will receive an entry ticket to our conference and will share a hotel room with the winner.

DCG 201 TALK HIGHLIGHTS FOR DIANA INITIATIVE 2022 (PST)

This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)

VIRTUAL JULY 16TH

Keynote “Take the Initiative”

8:30am — 9:30am

Maggie Mayhem

maggiemayhem.com/

Maggie Mayhem is a former sex worker and current full spectrum doula. She has spoken previously at HOPE as well as DefCon, Skytalks, SxSW, the United Nations Internet Governance Forum, as well as many events and universities around the world.

Pentesting Android Applications-Lab Setup to Get Started

10:00am — 10:30am

As of January 2022, Android accounts for<strong> </strong>69% of global market share<strong>. </strong>Thus its very important to know how to perform penetration testing on Android Mobile applications. In this paper I would like to take over the audience on how to get started in Android pentesting.

Anuradha Modi

I am a cybersecurity enthusiast and love to learn new technologies .I have 4 years of experience performing vulnerability assessments and penetration testing on various web applications and mobile applications

Monitoring Global Data Privacy Developments through Open-Source Intelligence (OSINT)

11:00am — 11:30am

This talk presents Open-Source Intelligence (OSINT) as a mechanism to monitor, track and report key data privacy developments. The system uses free or low-cost tools and does not require programming or technical knowledge. The talk is divided into four parts. Part I provides a basic introduction to OSINT. Part II goes through the OSINT implementation process, from the diagnosis and planning stage through checking and evaluation. In Part III, the speaker will discuss their experience in implementing an OSINT privacy monitoring system. Part IV concludes with some recommendation

Ana Trueba

Ana Trueba de Buen is a native of the US- Mexico Border (Tijuana — San Diego area), who moved to Mexico City to work in policy and ended up in cybersecurity and privacy. Currently, she is a Data Protection Officer/Compliance Manager at a SaaS company, where she focuses on information security compliance and data privacy requirements across Latin America. She is a technology policy analyst and researcher specializing in data protection, cybersecurity, privacy, and digital government, which she analyzes from a global and multi-disciplinary perspective. Recently, she´s given talks at the Mexican Electoral Tribunal and CalState Long Beach on topics related to privacy, surveillance, civil and political rights, and challenges they face. In her spare time, she likes to read, write, draw and drink too much coffee. She/ Her / Ella

Getting into pentesting with Red Siege

1:00pm — 2:00pm

Anyone can stop on it for a “Getting into pentesting” Q&A session as well as meet the Red Siege team.

Don’t miss it as there will also be an apparel and sticker giveaway during this event (as well as during the course of the day, don’t forget to stop by).

Justin Connors

Molly Murdoch

Jason Downey

How I hacked into the OFO Bikes in Singapore

2:00pm — 2:30pm

I would like to talk about how I hacked into the bluetooth low energy bikes from OFO that were all over Singapore in 2018, and was able to unlock it and ride it for free! This is a classic man in the middle replay attack which I was able to exploit. I would walk over the steps of conducting the exploit and show a video of the same. I would end the talk with some recommendations to make devices safer against these kinds of attacks. Its to be noted that this exploit qualified for the bug bounty program, but never followed through because the company went bankrupt quite after.

Sivaranjani Sankaralingam

I am a security researcher currently on a break . Previously , I worked on vehicle security at Desay SV , Singapore and prior to that I had a short stint at National University of Singapore, where I got the chance to hack into the OFO bikes. I also interned at NCC Group for a short while, hacking into Zigbee doorlocks during the summer of 2014. I have a masters in information security from Carnegie Mellon University, Pittsburgh.

Don’t settle for less — know your value!

2:30pm — 3:30pm

You aced the interview and the hiring manager offered a salary but it was less than what you expected! Do you accept it, do you ask for more or do you decline it?

According to research, women make 82 cents for every dollar earned by a man and the gap is even wider for women of color, LGBTQ and other underrepresented groups. The pandemic hit the economy hard and many women left the workforce. Unfortunately in some industries, taking a leave of absence or paternity leave negatively impacts opportunities into leadership positions and salary because it reduces the # of years when calculating experience. Will the gender pay gap widen as a result of the pandemic? The solution to closing the gap is to create a transparent culture and provide visibility to employees however it is easier said than done.

Whether you’ve recently graduated or you are returning back to the workforce, or if you are considering your next move, negotiating what your next job offer, promotion, benefits and pay is important.

In this session attendees will learn:

1- Why it is important to know your personal value?

2- Who is responsible to correct the pay gap?

3- When to negotiate and when to turn down an offer?

4- Where to find resources so you know what you’re worth?

5- What you can apply through 4 simple tips on negotiation strategies and tactics?

Aarti Gadhia

Aarti Gadhia is a change maker and has dedicated her entire career to breaking down barriers and boundaries to achieve equality for underrepresented groups in STEM and in leadership. She founded Standout To Lead to empower women in cybersecurity to join boards and as a result 30 women have begun their board journey. She also founded SHE (Sharing Her Empowerment) with a mission to be a collective voice and accelerate change. She is currently at Tines and has worked with prestigious companies including Sophos, Trend Micro, Carbon Black (VMware) and Bugcrowd. Aarti also serves as the Board Director for ObserveID, an identity intelligence and automation platform. She volunteers her time and serves on the OWASP Vancouver Board and is an advisor for WiCYS Western Canada Affiliate Board. Aarti was honored for her contribution to the cybersecurity community by being named as one of the Top 20 Women in Cyber Security in Canada. She is a speaker and one of the authors of the book “The Rise of the Cyber Women: Volume Two” as she shared her Safari of experiences as a change agent paving the path for future generations. She was quoted in Canadian Security Magazine as she shared her views on the importance of soft skills to break down barriers in traditional hiring.Due to her international background, she loves to travel and learn different cultures. If you’ve seen her post on LinkedIn titled Phulka Roti, you’ll know that she enjoys cooking.

Sherifat Akinwonmi

Crossing the Finish Line — How to Train for and Achieve Your Goals in Security

4:00pm — 5:00pm

So you know you want to get into security or increase your current skills — but what specifically do you need to do next to get there? It can feel paralyzing trying to sort through conflicting advice and suggested goals which might take years to accomplish, especially if also struggling with imposter syndrome, gatekeeping, or other issues. In this talk, I use the example of training for a running race such as a 10K to break down the needed steps into easy-to-understand analogies. This talk will be helpful for anyone who is newer to security and not quite sure where to begin, those with more experience who have identified their next goal but don’t yet have a structured plan to reach it, and those who may struggle with imposter syndrome or self-confidence issues.

Elle Stehli

Kicking Imposter Syndrome to the Curb

Have you struggled with Imposter Syndrome? Is Imposter Syndrome holding you back from becoming the best you can be? Let’s discuss how Imposter Syndrome has affected you and how you can kick it to the curb. I talk about how I realized I have Imposter Syndrome and my journey to overcome it. There are many tips and tricks to overcoming Imposter Syndrome. Let’s discover them and get you on your way to recovering from Imposter Syndrome.

Elaine Harrison-Neukirch

Elaine Harrison-Neukirch currently manages the Customer Support program at SCYTHE. Lead. Elaine has over 10 years of experience in cyber security working in the healthcare and financial services industries. She is the volunteer Education Director for Cyber Security Non Profit (CSNP.org). She has written several blogs for both the Cyber Security Non Profit and SCYTHE. and has written several blogs for them. She has spoken at Grimm Con 6 & WiCyS 2022 Conference. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity.

IN-PERSON

Wednesday, August 10

8:00am PDT

Opening Remarks/Welcome

8:30am PDT

Keynote

Jen Easterly is the Director of the Cybersecurity and Infrastructure Security Agency (CISA). Ms. Easterly was nominated by President Biden in April 2021 and unanimously confirmed by the Senate on July 12, 2021. As Director, Ms. Easterly leads CISA’s efforts to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every day.

Before serving in her current role, Ms. Easterly was the head of Firm Resilience at Morgan Stanley, responsible for ensuring preparedness and response to business-disrupting operational incidents and risks to the Firm.

Ms. Easterly has a long tradition of public service, to include two tours at the White House, most recently as Special Assistant to President Obama and Senior Director for Counterterrorism. She also served as the
Deputy for Counterterrorism at the National Security Agency.

A two-time recipient of the Bronze Star, Ms. Easterly retired from the U.S. Army after more than twenty years of service in intelligence and cyber operations, including tours of duty in Haiti, the Balkans, Iraq, and Afghanistan. Responsible for standing up the Army’s first cyber battalion, Ms. Easterly was also instrumental in the design and creation of United States Cyber Command.

A distinguished graduate of the United States Military Academy at West Point, Ms. Easterly holds a master’s degree in Philosophy, Politics, and Economics from the University of Oxford, where she studied as a Rhodes Scholar. She is the recipient of the James W. Foley Legacy Foundation American Hostage Freedom Award and the Bradley W. Snyder Changing the Narrative Award.

A member of the Council on Foreign Relations and a French-American Foundation Young Leader, Ms. Easterly is the past recipient of numerous fellowships, including the Aspen Finance Leaders Fellowship, the National Security Institute Visiting Fellowship, the New America Foundation Senior International Security Fellowship, the Council on Foreign Relations International Affairs Fellowship, and the Director, National Security Agency Fellowship.

9:30am PDT

Using S.M.A.R.T. Feedback to fight inappropriate communication at work

Keep your dignity against inappropriate and unconstructive feedback at work by implementing S.M.A.R.T. feedback guidelines. People are emotional beings. A small but significant percent of workers try to meet their emotional needs at their coworkers’ expense, usually by targeting their LGBTQ and minority coworkers with negative social aggression disguised as “feedback”. S.M.A.R.T. feedback can be your tool to combat unprofessional communication that provides no value to you or your employer. S.M.A.R.T. Feedback can also help you achieve more career growth and job satisfaction. Learn how S.M.A.R.T. feedback can keep your career going in a positive direction regardless of the emotional needs of others on your team.

Sue Spencer

CEO, Seamly Systems, Inc.

Open source software, Next-gen design technology

11:00am PDT

From Failure to Big Tech: (A)typical Security Job Hunting Strategies

As privacy awareness and the number of cyber attacks increase, the need for competent security and privacy professionals is also on the rise. 64% of organizations currently oversee a cybersecurity talent shortage. Students like myself studying information security, however, face countless trouble seeking their first internships. After conducting workforce development research, I adjusted my job-searching strategy and was able to land my internship position at a major tech company. In this talk, I will share the strategies that I used to get my internship offer.

A passionate InfoSec advocate, Weijia Yan is a student at Carnegie Mellon University and conducts research in cybersecurity workforce development for CyLab Security and Privacy Institute. She enjoys general cybersecurity education and raising awareness among her community.

12:00pm PDT

Essential Guardrails for AWS Organizations

While service-level controls in AWS such as configuring security groups and scoping permission policies are important parts of securing your services and applications within an AWS account, it’s easy to forget security beyond the account level. This talk will cover “the essentials” of securing your AWS Organization, including securing root account(s), logically organizing AWS accounts, and designing and applying Service Control Policies (SCPs) to restrict actions within multiple accounts. We’ll walk through the implementation and testing of selected SCPs, discuss logging within Organizations, and wrap up with actionable takeaways.

Cassandra (aka muteki) works full time in information security consulting, specializing in Cloud Security Architecture and Engineering. She holds a master’s degree in Computer Science, focusing on cloud-based app development and academic research on serverless security and privacy/anonymity technology. As one of the directors of Blue Team Village, she also works to bring free Blue Team talks, workshops and more to the broader security community.

2:00pm PDT

Keep Your Enemies Close and Your Secrets Closer

Hackers can exploit lazy developers. Remember, an adversary can use detect secrets tools to find secrets in your codebase. If you are worried about leaving credentials in your codebase, you may have employed the very popular Open Source Yelp Detect Secrets. In this talk, she will showcase how she wrapped the Yelp Detect Secrets tool for use in Azure to take results and immediately export them to your backlog and how to use this extension to prevent access to your code.

Audrey Long is a Senior Security Software Engineer at Microsoft in the Commercial Software Engineering team (CSE), which is a global engineering organization that works directly with the largest companies and not-for-profits in the world to tackle their most significant technical challenges. To Audrey, security is like solving a puzzle, but with real life impact- and she loves to break these puzzles. Because security is such a focal point for many customers, but there are so few people, and especially women in the space, Audrey is passionate about making security accessible both to software engineers and as a career for girls in STEM. She holds DoD secret clearance and a Master of Science degree in Cyber Security at Johns Hopkins.

2:00pm PDT

Expedition Behavior: What mountaineers, astronauts, and cybersecurity practitioners have in common

What do mountain climbers, astronauts, and cybersecurity practitioners all have in common? High risk situations are a regular part of the job. Whether it’s the vacuum of space, avalanches, or losing customers’ data, we have a shared need to collaborate well in adverse conditions. Expedition Behavior is a term originally coined by the National Outdoor Leadership School (NOLS) to describe successful teamwork in the adverse conditions that mountaineers often face. NASA has adopted Expedition Behavior is now part of the astronaut training curriculum. In this talk we will discuss the meaning of Expedition Behavior, how you can adopt it and how you can apply the underlying principles and teachings to a cybersecurity organization.

Over a 16 year career at Google, Robin Shostack has worked in the security, privacy, and identity organizations — as well as several products with over a billion users. Robin is the Program Lead for Google’s Offensive Security (Red Team) operation. Through her combination of security and product development experience, Robin brings a unique perspective to running a successful and effective security organization. A lifelong nerd — Robin has a passion for human spaceflight, and a history of travel to areas of the wilderness so remote that she’d be out of pager range, including the Kimberly area of Northwestern Australia, the Gobi desert in Mongolia, and the Okavango river delta in Botswana.

2:30pm PDT

Android Application Hacking

Even though Google Play carefully chooses the Applications for the store, many Android Applications are still vulnerable.
Android App Hacking is a specialization area, so it is much less documented than other pentests. In this session, I will tackle this subject.
After providing instruction for a complete setup of an Android App pentest lab, a deeper dive into the process with static analysis, dynamic analysis, reporting, including video demo and detailed examples on purposefully vulnerable applications will occur.

Gabrielle Botbol is a professional actress who became an ethical hacker.

She created a self study program and is dedicated to educating others on how they can do the same.

Gabrielle is the heart and the voice of cyber communities and she promotes the values of equality and justice, her mantra is “Action for Cyberpeace.”

She shares her knowledge through talks and workshops for international conferences and local organizations.

Mrs Botbol has been honored for her accomplishments and contributions by multiple awards like Top 20 women in cybersecurity in Canada 2020, Educator of the year 2022 and Top Influencer IFSEC 2022.

4:00pm PDT

Red Teaming Cyber’s Diversity Problem

The skills gap is one of the most pressing issues in cybersecurity, and, unfortunately, part of this problem comes from gatekeeping, unrealistic job requirements, discrimination, stereotyping and unimaginative thinking. Common problems in other male-dominated fields that require undoing decades of exclusion to solve. It’s incumbent upon all companies and communities in cybersecurity to champion inclusion and diversity for women and gender minorities, which puts The Diana Initiative and its audience at the heart of the solution.
In this presentation, we’ll discuss the origins of an online community of women hackers and how utilizing community and mentorship can remove barriers to inclusion for women, trans and nonbinary people, and others who identify as a gender minority. We’ll also discuss best practices and discuss lessons from the first six months of the program to help others interested in similar initiatives. If you are interested in breaking into offensive security or just building an inclusive offensive security community, this session is for you!

Emily Peacock has always had a passion for bringing joy to others, whether that be through smiles, laughter, food, entertainment, acts of kindness or fostering a sense of community. Prior to Synack, Emily spent five years as a culture ambassador for tech start-ups building company-wide employee engagement, recognition, and onboarding programs. She is now the Community Engagement Manager for the Synack and Artemis Red Team, where she focuses her vivacious energy towards providing a fun and supportive environment for researchers to connect, learn and find success. In her free time, you can find her busting a move with her dance community or becoming one with her couch and her senior pup, Bender.

After spending more than two decades building online communities for tech savvy enterprise developers, Ryan (@ryanrutan) returned to his hacker roots as the Sr. Director of Community at the Synack Red Team in 2019. He is a long-time developer/maker at heart and technology innovator by trade, but his passion comes from uniting people, process and technology into sustainable communities capable of meeting any challenge. When he’s not programming, building integrations, or automating processes, he decompresses by writing fiction novels, hacking on IoT projects, and playing trivia games with his family and friends. #ForkThisLife

4:00pm PDT

No parking, no problem!

What happens if one day you have control of all the parking meters in your city? In this talk we will talk about a problem that I encountered in a parking system in my city, and then you discover many cities with the same system! That talk includes nfc, sql, reverse engineering, and other herbs.

My name is Ignacio Navarro, I am 24 years old and I am from Río Cuarto, Argentina.I am currently working as a Sr. Software Engineer at Attackiq.I started to enter the world of infosec about 5 years ago.My interests include code analysis, webapps security and cloud security.

4:30pm PDT

Breaking Silos: Your Operational Experience Is Needed in Legislative & Policy Spaces

Do you ever wonder how cybersecurity laws get crafted? Even how the ideas come up? Too often, legislators and their staffers are looking for ideas on how to close cybersecurity workforce gaps and increase security and resilience across critical infrastructure to combat the ever-increasing cyber-attacks and data breaches. However, not all cybersecurity practitioners are aware of the different avenues they can provide their operational experience, and how they can help legislators and their staffers understand the operational implication of their legislative proposals. If you are interested in learning how to participate in the conversations or pivot into cybersecurity policy to help improve how legal and regulatory frameworks are shaped — then attend this lightening talk! You can help policy decision makers avoid complicating the work of operators and analysts. I’ll go over why your experience and input is needed, which communities to join and events to participate in, and how to pivot into cybersecurity policy field at the Federal, SLTT, or Industry level (including Academia).

Ayan Islam is the associate policy director of Cybersecurity and Emerging Threats at R Street Institute. She supports the oversight and development of the Cybersecurity and Emerging Threats program and provides subject matter expertise in public policy strategy development and implementation. Prior to R Street, she was the critical infrastructure portfolio lead at the Cybersecurity and Infrastructure Security Agency (CISA) where she led a team of vulnerability analysts and penetration testers analyzing vulnerabilities and developing tailored mitigation recommendations. She was also the CISA COVID Task Force Tier 0 project lead and Operation Warp Speed liaison at CISA, and a cybersecurity strategist for the Aviation Cyber Initiative (ACI).

5:00pm PDT

Threat Modeling in 600 seconds or less (ok, I lied, more like 2,400)

Threat Modeling in only 10 minutes? I’m in!! Oh wait, it’s really 40 minutes? That’s cool, I can work that in. Yes, Threat Modeling is both FUN and EXCITING and can shave tons of time off SDLC — if done right. So let’s get down and dirty and see what it takes to do a good Threat Model!!

Based in Seattle and a natural creature of winter, you can typically find Kat Fitzgerald sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Pacific NW.

6:00pm PDT

Abortion Tech

In order to protect abortion access in America, it is imperative to understand what abortion is in material terms. This primer will discuss clinical and underground abortion procedures, provider opsec, targeted legislation against abortion access, how abortion access & gender affirming care are linked, and demonstrate how to build a DIY vacuum aspiration device. This talk will be presented from the perspective that abortion should be available on demand, without apology as part of a spectrum of human reproductive rights including gender affirming care and expression of sexual orientation. Providing abortions safely requires a background in healthcare that exceeds the time and content limitations of this talk. Though abortion will be discussed in practical terms, attendees will not be taught how to perform abortions.

This is a first come first served workshop based on equipment we have on hand

Maggie Mayhem is a former sex worker and current full spectrum doula. She has spoken previously at HOPE as well as DefCon, Skytalks, SxSW, the United Nations Internet Governance Forum, as well as many events and universities around the world. Her website is MaggieMayhem.Com.

Thursday, August 11

8:00am PDT

Opening Remarks/Welcome

Opening Remarks/Welcome

Fuzzing: A Must Have in Your Bug Hunting Arsenal

Fuzz testing aka fuzzing is a dynamic software testing mechanism designed to detect a wide spectrum of bugs and potential security vulnerabilities from memory corruption to deadlocks, from undefined behavior to exception handling. In combination with appropriate program instrumentation, fuzzing has proven its effectiveness to software developers, security validators as well as security researchers. Although, fuzzing can greatly assist in bug finding, it has its own sets of challenges such as coverage wall, effective input generation etc. Ia/nenay this talk, we will explore the common roadblocks in fuzzing and some of the best practices to overcome these challenges as well as how to best utilize the potential of fuzzing to find bugs and security vulnerabilities. In addition, this talk will highlight how fuzzing can be adopted in the firmware domain despite the tight coupling with the target hardware platform.

Priyam Biswas is an Offensive Security Researcher at Intel. Her areas of expertise include secure system development via fuzzing, sanitization, static and dynamic analysis. Dr. Biswas earned her PhD in Computer Science from Purdue University where her research focus was on applied cryptography as well as developing attack and defense mechanisms for both compile time and run-time vulnerabilities. She is committed to diversity and inclusion in STEM. Dr. Biswas leads several diversity and inclusion efforts at Intel, and actively drives retention and development of women in Cyber Security domain through arranging regular workshops and mentoring underrepresented students.

Building Secure Apps Starts With Secure Relationships

Secure Application Development is more than just the software itself; it’s about knowing who is creating the software. One of the most important relationships we’ll have as a security professional, is the one we have with teams across the business — we can’t build a secure organization on our own! We’ll cover some common problems that arise from insecure relationships, including teams not being aware of your existence or processes, requests for help arriving too late or being lost in the noise, and only finding out about new features or products after they’ve gone live. This talk aims to give you practical examples and actions to help you take the initiative, to facilitate better conversations with teams, and cultivate stronger partnerships that encourages teams to reach out for help earlier and more often.

Yianna Paris. Currently a Security Engineer, with a focus on Application and Offensive Security. I built things as a Software Engineer, studied Computer Science, worked as a UX Designer, co-found a software dev business, and taught higher education subjects. Still enjoy making things, but I now also break them. When I’m not coding tools, I like talking to people about improving security processes in app teams, tackling complex problems, and introducing software development practices into the security team. I love going detailed and technical, diving deep into problems when I’m doing vulnerability research, threat assessments, breaking video games and woodworking. I’m determined to uplift and introduce people with diverse experiences and perspectives into this field, by making secure software development an even more enjoyable experience.

9:30am PDT

372 Million Data Points and a Few Strong Opinions on the State of Attack Surfaces

There have been profound changes in security as a result of industry shifts toward cloud-native development, resilient architecture, and microservices adoption. My analysis of 372 million cyber assets, findings, and policies at 1270 organizations reveals just how significant the changes in the average asset inventory have been, and the profound impact on security teams.

This talk will share original, peer-reviewed research on the state of asset inventories and attack surface management at contemporary organizations and analysis of what it means for security teams, providing insight and advice for blue teamers, security leaders, and cloud engineers.

In particular, research will cover the industry average (mean) of 120,561 findings in backlog means for security team burnout and how the ratio of cyber assets to practitioners has reached dire levels. The talk will also cover how current security skills training does not reflect the realities of our cloud-native asset architectures, and why ultra-reliable network architecture demands new approaches to security.

Finally, the talk will provide original research and analysis of supply chain risk, as well as insight into the most common blind spots for security practitioners — based on analysis of asset inventories compared to practitioner queries of their environments.

Jasmine “Hex” Henry is Field Security Director at JupiterOne and lead author of The 2022 State of Cyber Assets Report (the SCAR). Previously, she was a Director of Security at a different SaaS startup where she became a JupiterOne customer in September 2019. She is an accidental career specialist in applied graph theory for cloud-native startup security, but she firmly feels she could do much worse since graphs are great.

Jasmine has a MS in Informatics & Analytics from Lipscomb University in Nashville, TN, and is working to complete a PhD in Information Science. She is on the board of directors for The Diana Initiative and a career village organizer for BSides Seattle, as well as a speaker at countless industry conferences and events. Jasmine has worked with Esper.io, IBM Security, HPE, the ADP Research Institute, Philips, the Tennessee Valley Authority (TVA), and other organizations in her career.

12:00pm PDT

The Kids Are All Right

The information security industry is facing a skills crisis, a cultural crisis, and a diversity crisis. Studies have found that this industry is facing one of the highest workforce shortages and facing a lack diversity within the workforce. The shortage of talented and motivated members is felt globally, with online safety something all members of our countries desire. This leaves many wondering: How can we address these crises and bridge that gap to engage, interest and empower the younger generations?

This talk focuses on youth community engagement and introduces Kids Securiday. We’ll discuss our experience bringing cyber security education to youth in Papua New Guinea (PNG), an island country in the southwestern Pacific Ocean. This country is known for its vibrant wildlife and rich diverse culture. However, women are disadvantaged in PNG socially, culturally, economically, and politically. The prevalence of violence against women and girls is one of the highest in the world. Highlighting the benefits, an overview of the education delivery model will be presented. We’ll cover how the workshops were formulated and share feedback from the participants and tutors. These insights can help those wishing to consider outreach activities to the younger generations and educators in areas where formal pathways may not be available.

Kids Securiday, established in Australia in 2017, has been running events for students all around the world. The program was recognized with Australian Information Security Association’s “Best STEM Program” award in 2021. These events focus on being fun and inspirational — with the intent to share knowledge with passion. We will share this inspiration with attendees, along with ideas and information on how to education the next generation.

Heidi Winter. Founding Kids SecuriDay in 2017 out of an interest in sharing knowledge and her passion in STEM with the younger generations, Heidi is an enthusiastic security professional. She has worked in IT for over 20 years, where she has had the opportunity to experience both government and enterprise environments, completing her Masters in Cyber Security Operations at the University of New South Wales in 2020. Heidi spends her time giving back to the community by volunteering at conferences across the globe, organising meet ups and CTFs, and running popular community projects to educate young and old on the joys of infosec.

Jessie Richardson has worked in ICT for nearly 10 years — from systems administration and web development to communications and training, hardware refresh programs and various security programs — Jessie has done a bit of everything. Jessie brings a passion for IT and security education to our training programs and conferences.

2:00pm PDT

The Real Cost of Free: What you need to know before downloading a free app.

With plenty of free security software options out there, it’s easy to wonder why you would want to pay for online protection. We all love free apps, right? The idea that one has to pay for software can drive away many users, whereas applications that offer free services, are always enticing. However, a basic fact which is often neglected is that the application owners advertising their creations for “free”, have to generate profits in some way.

Mobile devices are stores of sensitive information and believe it or not, we are constantly sending a lot of information to some third-party app all the time. Installing a free app on our device(s) may not seem like a big deal at first but we need to understand the monopoly and concentration issues surrounding companies that own these apps, and how these companies are tracking & handling our data.
So, Next time you find a free software, take a pause and think…is this free software truly free? Maybe if you are not paying for something, YOU are the product.

Ruchira Pokhriyal is a seasoned Cybersecurity expert who holds specialization in Web-Application PenTesting, Cloud Security & Digital Forensics. Her educational qualifications include a Bachelor’s & a Master’s degree in computer Science & another Master’s degree in Cybersecurity. She is currently working as a Cloud Security Specialist and volunteer Incident Responder at Amazon Web Services (AWS). She keeps herself involved with well-known cybersecurity communities such as OWASP where she’s a part of the Women in App Sec team & WiCyS where she’s been a member & speaker & affiliate leader. Ruchira is also on the advisory board of a non-profit organization called Breaking Barriers-Women in Cybersecurity, which is focused on educating & empowering women who want to pursue a career in Cybersecurity. You’d often hear and see her advocate for D&I, specifically: LGBTQ+ Visibility, Neurodiversity, and Women of Color in in STEM. Ruchira believes in growing with the community, being supportive & giving back as much as she can & is always looking to collaborate with like-minded individuals.

3:00pm PDT

Vendor Risk Management for Beginners

Companies of every size and industry must evaluate the security risks introduced by third-party apps and services. Getting compromised by an outsider is bad, but getting compromised through a vendor can be much worse due to their access to company data and use within closed networks. This talk will provide a primer for getting started on third-party vendor review and risk management, including tips to improve your organization’s data and security posture. Attendees will learn how to classify the sensitivity of data, how to do this work within a team, what risk acceptance is and how it works, and what resources may be available to you within your company.

Christina Liu is a ex-circus performer turned web developer turned Enterprise Security Engineer. She’s worked in highly regulated tech industries such as healthcare and finance. In her current role, she is the vendor review SME performing reviews and security integration liaison for a company of 3,000 people. Her favorite outdoors activities include rock climbing and hiking extremely slowly to look at wildflowers, mushrooms, and shiny smaller rocks.

4:30pm PDT

Keynote

Miki Demeter career has encompassed everything from firmware to application space. Her last 10 years have had Security focus as a Security Researcher for Intel, working on Secure Development Lifecycle and as a Product Security Expert for Open Source Software. She is a writer, an Award Winning Public Speaker for technical subjects, and Diversity & Inclusion, and other social topics. Miki serves as a Board member of Portland Women in Tech, Staff of Women Who Code PDX, and Staff member for Diana Initiative. Miki is also civic-minded; she serves as an elected Director for the local Fire District and is a former TrevorChat crisis counselor. In her spare time, she Raises and shows Irish Wolfhounds in the Coast Range of Oregon.

5:30pm PDT

Closing emarks / Announcements

--

--

DCG 201

North East New Jersey DEFCON Group Chapter. Dirty Jersey Represent! We meet at Sub Culture once a month to hack on technology projects! www.defcon201.org