BSides Las Vegas 2023

Date & Time: Tuesday, August 8th (9:00 AM) — Wednesday, August 9th (6:00 PM EST)

Location: Tuscany Suites and Casino (255 E. Flamingo Rd.)

Website: https://bsideslv.org/

Tickets: https://www.eventbrite.com/e/bsideslv-2023-registration-602863931247

Virtual Platform(s): NA

Schedule: https://bsideslv.org/schedule

Live Streams:

YouTube: https://www.youtube.com/c/BsideslvOrg

Virtual Chat: NA

Affordability: Historically, BSidesLV has raised the bulk of the cost of running the conference through corporate sponsorships allowing us to give most badges away free of charge. Given uncertainty of the availability of those funds based on conversations our sponsorship team has had over the past few months, we have decided to require donations for badges this year. The minimum donation for a badge is $100. One big change for this year is that they’ll not be including badges with rooms in their hotel block. Online viewing of talks will be FREE.

Code Of Conduct: https://bsideslv.org/coc

BSides Las Vegas is a nonprofit organization formed to stimulate the Information Security industry and community by providing an annual, two-day conference for security practitioners and those interested in entering or looking to enter the field.

What started in 2009 as several conversations on Twitter about the politics of InfoSec conferences and the disappointing CFP rejections turned into a plan to host a small alternative event to create a friendlier space and really put the focus on the conversations that make our community great. What started in a vacation rental grew into larger and larger spaces before making their home at Tuscany Suites and Casino.

Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

One of the many Security BSides throughout the world, this convention truly kicks starts Hacker Summer Camp week every year. Normally free, due to living in this awful timeline, there is a charge for badges this year. That said, BSides LV will still maintain it’s local, down to earth, community aspect as a convention made by hackers for hackers. Often overlooked compared to it’s bigger siblings later on in the week, we urge everyone to check out BSides Las Vegas when vising Hacker Summer Camp for your first time or your hundredth time as something you DON’T want to miss!

FLOORPLAN

PDF: https://bsideslv.org/assets/bsideslv.map.2022.pdf

The #BSidesBus is back for 2023!

Bus will wait 15 minutes at each stop before continuing to the next hotel in the circuit. Round trips should be approx 30 min.

Wednesday, Aug 9

7:00am — 7:00pm

Circuit between Tuscany Las Vegas and Mandalay Bay Convention Center

Thursday, Aug 10

7:00am — 7:00pm

Circuit between Tuscany Las Vegas and Mandalay Bay Convention Center

Friday, Aug 11

8:00am — 11:59pm

Circuit between Tuscany Las Vegas and Caesars Forum Conference Center

Saturday, Aug 12

12:00am — 3:00am & 8:00am — 11:59pm

Circuit between Tuscany Las Vegas and Caesars Forum Conference Center

Sunday, Aug 13

12:00am — 3:00am & 8:00am — 11:59pm

Circuit between Tuscany Las Vegas and Caesars Forum Conference Center

COVID-19 Safety

Masks are not required, but are strongly recommended and will be made available at registration and the information booth.

We strongly suggest everyone wear disposable N95, KN95, or KF94 respirators and use a fresh mask at least once a day.

We strongly encourage participants to be vaccinated. While we are not requiring proof of vaccination to attend, we believe that vaccination, including the recommended booster doses, is one of the most important tools we have in protecting ourselves and our community from COVID-19.

We ask that you use common sense. Please do not attend the conference if you are feeling any symptoms of illness or have reason to believe you have been exposed to someone who is ill. We encourage frequent testing when traveling or around large groups of people. If possible, please take a COVID-19 test in the day or days leading up to the conference. Please wash your hands frequently throughout the conference.

Additional guidelines from the CDC https://www.cdc.gov/coronavirus/2019-ncov/prevent-getting-sick/prevention.html.

We may revisit this policy based on changing information. In case of changes to this policy, the published policy with the latest date is controlling.

Tuscany Suites and Casino

Book a three night stay (min) at Tuscany. Cost: $89 Sun-Thurs, $139 Fri/Sat with the resort fee waived. Register online Or call +1–877-TUSCAN1 and ask for the BSides Las Vegas block

As a reminder, room reservations this year do not include participant badges. To secure your badges, please see the Donor Drive.

Silent Auction & Raffle

BSides Las Vegas has raised tens of thousands of dollars over the years for our charity partners through our annual silent auction and raffle. Items donated by sponsors, individuals, and BSLV are available for your perusal at the table in Middle Ground throughout the conference.

Our charity partners for 2022 will include:

We will have three drawings for the raffle; during Happy Hour each day and at the closing ceremony. To enter the raffle, purchase tickets by making donations right at the table and placing your raffle tickets in the draw boxes for each drawing. You must be present during the drawing to win.

Silent Auction bidding officially closes at 1900h on Wednesday, just before the closing ceremony. To win, you must be present at the time of the auction and you must be able to make payment immediately.

Any other questions? Want to donate something to the raffle or silent auction? Email auction.raffle@bsideslv.org

PROVING GROUND

The BSidesLV Proving Ground program exists in order to give first-time speakers the opportunity to work with a seasoned industry professional to improve their public speaking skills, with the end goal of presenting their research on a global stage at BSidesLV. All accepted speakers spend 4 months working with an experienced mentor who will assist them with everything from talking points to slide layout, design, and delivery prior to giving their talk in Las Vegas.

Proving Ground will consider any speaker who has original research and has never presented a 25-minute or longer presentation at an international information security conference*.

Proving Ground mentors should have at least 3 years of experience in the information security industry, and should have either:

  • successfully delivered at least one full-length presentation at an international information security conference*; OR
  • extensive professional experience with public speaking, such as teaching, in-person training, or public lectures/speeches.

*For purposes of clarity, the Proving Ground program considers “international information security conferences” to be any multi-day conference that a.) makes conference recordings available online, and b.) has 1,000 or more attendees. Examples include Black Hat USA, DEF CON, Shmoocon, etc.

Each accepted speaker and mentor will be provided with:

  • All speaker amenities at BsidesLV (including breakfast and lunch on both days of the conference)
  • A BSidesLV Proving Ground program t-shirt
  • A conference badge that will identify them as a part of the Proving Ground program
  • An extra conference badge for a friend

TRAINING GROUND

Some things just can’t be covered in an hour. BSides Las Vegas is happy to offer half-day Training Ground workshops free to anyone with a BSides Las Vegas badge. Workshop spots must be reserved ahead of time by going to our eventbrite page.

2023 Registration will open in July and will fill up fast.

If you do not have a badge secured via the Eventbrite link above, please remember that badges will require a $200 donation at the event.

Many thanks to our trainers for donating their time to the community!

Deep Dive into Fuzzing — Day 1

Tuesday, August 8th ~ 10:30am — 6:30pm

Fuzzing is a technique of identifying software vulnerabilities by automated corpus generation. It has produced immense results and attracted a lot of visibility from security researchers and professionals in the industry, today fuzzing can be utilized in various ways which can be incorporated into your secure SDLC to discover vulnerabilities in advance and fix them.

Dhiraj Mishra, Zubin Devnani, Zubin Devnani

Linux Privilege Escalation

Tuesday, August 8th ~ 10:30am — 6:30pm

Attackers never stop at initial compromise; there is always an end goal objective which often requires privileged access to specific devices or systems. Identifying the correct privilege escalation vector can often feel like looking for a needle in a haystack, however with the right approach and understanding of the various controls in play, gaining full control can often be a safe assumption in many instances following initial foothold.

This workshop aims to equip those likely to find themselves with an initial foothold, with the skills to practically exploit a given privilege escalation vector on the target Linux system.

Troy Defty, Andrew Suters

Jumping from cloud to on-premises and the other way around

Tuesday, August 8th ~ 10:30am — 2:30pm

The use of the cloud is becoming more and more predominant in large companies. However, transitions from legacy infrastructure are sometimes done through “brutal” strategies (migration of 80% of the IS in 2 years). In fact, not all teams are properly trained to the new paradigm of security in the public cloud, leading therefore to blind spots in IS security.

This workshop aims to reintroduce the main principles of the public cloud (shared responsibility model, managed services, RBAC rights model), and to highlight the possible ways of elevating privileges within CSPs and lateralization between the management plane (CSP) and the data plane (AD).

Through a combination of theoretical lectures and hands-on exercises on dedicated labs, participants will gain a practical understanding of these concepts. No prior knowledge of cloud security or AD security is required.

Arnaud PETITCOL, Raymond CHAN

Threat Modeling 101 — Burn risks, not hope

Tuesday, August 8th ~ 10:30am — 2:30pm

Threat Modeling is the best way to discover and remediate threats in your system before they are even created. If done correctly, it is one of the most impactful security programs that you can run within your organization.

In the Security Industry, threat modeling has been misunderstood and many security folks are afraid to carry out a threat model. While it is commonly performed by Application Security or Cloud Security professionals, threat modeling can be done by anyone.

This hands-on workshop will cover the threat modeling workflow and common classes of vulnerabilities in a way that is easy to understand. You will also walk through many hands-on threat modeling examples to ensure that you will be empowered to discover threats in your systems.

Jeevan Singh

Cyber Threat Hunting (CTH) — Day 1

Tuesday, August 8th ~ 10:30am — 6:30pm

Understanding and practicing Cyber Threat Hunting activities

Bruno Guerreiro

How to build a security awareness strategy that works!

Tuesday, August 8th ~ 10:30am — 2:30pm

I created this training as a short, invigorating course that should help you whether you are established in your career in awareness, or want to break into the sector. Or just curious about how to make awareness more than phishing and posters. We will go over key themes of trust building, inclusion and accessibility, qualitative data instead of dashboards and how to evaluate vendors. Full resource packs are given to all attendees.

Michelle Levesley

Comprehensive Guide to Runtime Security

Tuesday, August 8th ~ 10:30am — 7:00pm

The adoption of containers and orchestration systems skyrocketed over the last few years. The popularity of these platforms makes them common targets for cybercriminals. Kubernetes combats this risk with built-in controls (such as Admission Controllers and RBAC authorization), but what if you want to observe the behavior of pods at runtime to detect intrusions? In this hands-on training, instructors will depict the cloud-native security landscape, dive into cloud detection and response and show how to detect unexpected behavior and intrusion.

This training is a comprehensive guide to Falco, the de facto CNCF open-source threat detection standard for Kubernetes environments. From using the default rules to customizing existing rules, and writing new Falco rules, attendees will walk away confident they can protect their environment against runtime threats, the last line of defense. Every participant will use a web browser to access their own lab environment, in which they will use Falco to identify and notify intrusions.

This session is for security practitioners who are new to cloud-native and want to expand their knowledge of runtime security, as well as those who are familiar with Falco and want to customize its detection capabilities by writing new rules.

Pablo Musa

Adding SAST to CI/CD, Without Losing Any Friends

Tuesday, August 8th ~ 10:30am — 7:00pm

Everyone wants to put tests into the release pipeline, but no one wants to wait hours for them to finish. In this learning lab we will discuss multiple options for adding static application security testing (SAST) to your CI/CD, in ways that won’t compromise speed or results, such as learning which results can be safely ignored, writing your own rules, company-specific checks, scanning PRs instead of commits, splitting blocking scans versus deep audit scans, etc. We will also cover ways to continuously find vulnerabilities.

Tanya Janca, Colleen Dai, Enno Liu

Got Hashes. Need Plains | Hands-on Password Cracking

Tuesday, August 8th ~ 10:30am — 7:00pm

A condensed, but nonetheless still very effective version of our commercial training on password auditing, recovery and cracking techniques.

Cracking passwords is a critical skill for today’s information security professionals. With the increasing amount of sensitive information and systems relying on passwords, protecting against unauthorized access is more important than ever. Whether you are looking to crack passwords to gain access to systems, or auditing systems for weak passwords to make them more secure — you will gain a deeper understanding of what various common hashing algorithms are, and how to effectively crack passwords using those hashing algorithms. By the end of this training, you will have a solid foundation of password cracking techniques and be equipped with the knowledge to use password cracking for offence and defence that will allow you to grow your skills and research. We will cover creating powerful wordlists and rules (and why you need them), the tools used to crack hashes and advanced techniques. This training will give you a strong baseline to get you started in your password cracking experience. See the description for the full outline.

Kyle Duncan

Email Detection Engineering and Threat Hunting

Wednesday, August 8th ~ 10:30am — 6:30pm

Email remains the #1 initial access vector for commodity malware and nation state actors. Historically, tackling email-based threats has been considered the purview of black-box vendor solutions, with defenders having limited scope (or tooling!) to swiftly and effectively respond to novel offensive tradecraft.

In this training, attendees will be given detailed insight into the latest techniques used to deliver prevalent malware strains, including QakBot and Emotet, and will hunt through email data to identify this malicious activity, developing rules to detect and block these attacks.

Initially attendees will be introduced to the foundational technologies that enable threat hunting and detection engineering in the email domain, before being given access to the email data of a fictitious company seeded with benign and real-world attack data.

Attendees will be guided through the rule creation process, utilizing free and open detection engines including Sublime and Yara, and will be introduced to the signals that can be used to craft high-fidelity rules, including sentiment analysis, domain age, and attachment analysis. Having completed the training, attendees will have a strong understanding of the tools and techniques at their disposal to defend their organizations from all manor of email threats.

Josh Kamdjou, Alfie Champion

Linux Digital Forensics: a theoretical and practical approach

Wednesday, August 8th ~ 10:30am — 2:30pm

As hardening and monitoring of Windows systems is becoming more mature in corporate environments, cybercriminals and APTs increasingly turn to Linux hosts to conduct their campaigns.

Whether you are new to incident response (IR), or a tailored responder looking to improve your Linux forensics skills, this workshop aims to provide you with the necessary knowledge and tools to investigate compromised Linux systems.

This workshop will cover the different steps of Linux IR, from data acquisition to TTPs analysis, while introducing Linux malware analysis fundamentals. Participants will be able to practice their newly acquired abilities on a hands-on exercise, which consists of a triage collection and a disk image from a compromised system. Inspired by several IR engagements of the CERT-W, this challenge will give insight on real-life attacks of Linux systems.

Thomas DIOT, Maxime Meignan, Axel Roc

Cyber Threat Hunting (CTH) — Day 2

Wednesday, August 8th ~ 10:30am — 6:30pm

This is the second day of the 2-Day training

Bruno Guerreiro

Defense-in-Depth engineering

Wednesday, August 8th ~ 10:30am — 6:00pm

The 2021 OWASP Top Ten introduced a category “Insecure Design” to focus on risks related to design flaws. In this training, we will focus on building defense-in-depth software. What can we do to proactively architect software to be more resilient to attacks? What type of findings may not be discovered via automated static analysis? How can we design our software to be more friendly during incident response scenarios?

This one-day training is perfect for engineers as well as security practitioners that have some familiarity with the OWASP top 10. During this training, we will focus on identifying often-overlooked architectural anti-patterns and vulnerabilities to be on the lookout for. We will utilize source code review to analyze patterns for improvement in both real-world applications as well as intentionally vulnerable applications. Every interactive exercise will involve discovering concerns and writing code to engineer solutions. The course will wrap up with real-world vulnerability analysis of open-source software with an effort to help provide more secure architectural recommendations for these projects.

John Poulin, Michael McCabe

Pentesting ICS 101

Wednesday, August 8th ~ 10:30am — 2:30pm

Do you want to learn how to hack Industrial Control Systems? Let’s participate in the one and only CTF in which you really have to capture a flag, by hacking PLCs and taking control of a robotic arm! We’ll start by explaining the basics of Industrial Control Systems : what are the components, how they work, the protocols they use… We’ll learn how PLC work, how to program them, and how to communicate with them using Modbus, S7comm and OPCUA.

Then we’ll start hacking! Your goal will be to take control of a model train and robotic arms to capture a real flag! The CTF will be guided so that everyone learns something and gets a chance to get most flags!

Arnaud SOULLIE, Alexandrine Torrents

Deep Dive into Fuzzing — Day 2

Wednesday, August 8th ~ 10:30am — 6:30pm

This is the second day of the 2-day training.

Dhiraj Mishra

Honey, is that you? Building test-driven, identity-centric honeypots together.

Wednesday, August 8th ~ 10:30am — 7:00pm

Honeypots are a go-to tool for asking attackers questions and simulating production systems in a safe environment. Nothing gets attackers to answer “What’s in your credential stuffing arsenal?” quite like a juicy login box. We’ll discuss the whys and the hows of honeypots and take a journey into identity security by making a simple application we can deploy anywhere and analyze attacker behavior.

Mathew Woodyard, George Vauter

Build Your Own Cat-Shaped USB Hacking Tool!

Wednesday, August 8th ~ 10:30am — 7:00pm

Want to learn how hackers exploit computers in seconds? This beginner-friendly workshop walks you through assembling your own cat-shaped hacking console, which you’ll use to try out fun hacking demos! You’ll learn to solder, write your own USB attack scripts, and learn the techniques hackers use with your new cat companion!

Alex Lynd

Middle Ground

The Main Stage in Florentine C & D is ground zero for all of our off-track activities. Ongoing announcements, music, and other surprises will happen throughout the conference. Stop in and relax, talk with your friends, visit our sponsors, or just enjoy the music.

Lockpick Village

Want to try your hand at the art of lockpicking? Come visit the Lockpick Village! We bring the locks and picks. All you’ll need is a sense of curiosity. We’ll also have contests and beginner sessions on both days of the conference. All skill levels are welcome, as volunteers will be on hand to help you get started. Beginner sessions will be held at 11:30 each day. If you’re feeling competitive, drop by for one of the contests held at 16:00 daily!

Security BSides Organizers Meet-Up

The Security BSides Las Vegas Meet-Up for current organizers of existing Security BSides events is a wonderful opportunity to share stories and commiserate. Come meet and mingle with your fellow security cultists. Join us Tuesday at 19:00.

DCG 201 TALK HIGHLIGHTS FOR BSIDES LAS VEGAS 2023 (PST)

This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)

TUESDAY, AUGUST 8TH

Build hybrid mobile applications like a security pro!

Ground Floor ~ 10:30am — 11:15am

Hybrid mobile applications, unlike native ones, primarily function through a set of external, generally open source, libraries that help access the mobile operating system’s native capabilities. But what does this mean in terms of security? Mobile applications come with their own set of security loopholes and attack vectors. Does this approach pose new challenges or exacerbate existing ones? In this talk, instead of discussing a known set of secure libraries, the attendees will understand the mobile threat model and learn how to vet a library by themselves.

VINEETA SANGARAJU

F🖕🖕🖕 Your ML Model

Ground Truth ~ 10:30am — 11:15pm

Yeah, Machine Learning is cool, but have you ever curled up with Logic Programming on a rainy day? Ever watched a baby AI Planner take its first steps? Ever ditched work early on a Friday and roadtripped to Vegas with an Optimization Solver?

In this session we’ll take a step back from all the machine learning gigahype and look at the wider world of AI. We’ll explore how NASA drives robots on Mars, how video games create intelligent agents, and how Google interrogates its massive Knowledge Graph.

In each case we’ll see how the same AI methods can be adapted to tackle hard security problems, like tool orchestration and attack surface minimization, and we’ll build out small-scale versions of these problems and show how to solve them using open source libraries.

Colt Blackmore

How to communicate with non-security specialists to drive action

Common Ground ~ 11:00am — 11:20am

How many times have you let someone know about a critical issue, only to be dismissed? Or maybe you see a significant improvement to a process that can be made, but no one senses the urgency or understands why they need to change their way of working?

So much of the work in security today is persuading people to act — to fix, to change, to update, to communicate.

Technical prowess is often the starting point of many careers, but the ability to communicate and persuade people to act is what will fuel career growth and influence change within an organization.

In this talk, security practitioners of all levels learn the valuable pieces of communication to resonate with others and drive action.

Ashleigh Lee

The History of Malware- From Floppies to Droppers

Common Ground ~ 11:30am — 12:15pm

Modern malware, such as ransomware, has become synonymous with some of the most devastating cyber attacks of our time.. But it hasn’t always been so. Not too long ago, malware was considered a myth. The first ransomware, for example, was created over 30 years ago as a wild scheme, devised by a man armed with 10,000 floppy disks and a virus. Since then, malware has evolved in many different ways, as technology changes and evolves. Looking back and analyzing this history gives us an unusual perspective- what elements of malware have changed throughout the years, and what has remained consistent? How has this evolved into the most impactful form of cybercrime today, and what can this surprising, untold history teach us about our present and future?

Eliad Kimhy

The Dark Playground of CI/CD: Attack Delivery by GitHub Actions

Breaking Ground ~ 11:30am — 12:15pm

GitHub provides an official CI/CD feature called GitHub Actions. While this feature is convenient for developers, it may also offer an attractive attack vector for attackers, motivating us to research the potential for attacks using GitHub Actions.

This study investigates known attack techniques already used by attackers and includes unknown attacks not yet observed in the wild. Attacks abusing the features of custom action and self-hosted runner have not been previously used by attackers nor published by researchers; our research has uncovered new attack vectors.

In this presentation, we will demonstrate the attack techniques we developed, “Malicious Custom Action” and “GitHub Actions C2”, including code explanation and demos, and share our research findings on threats “Free Jacking”, “Malicious Public PR&Fork” and “Theft of Secret”. Furthermore, we will discuss the systematization of these attacks based on two perspectives: GitHub’s features and threat levels.

Other CI/CD services have similar features to GitHub, which means these attacks could be abused other than GitHub. By discovering threats in CI/CD, we hope to enhance the overall security of these services. Regarding this research, we have been in contact with GitHub and are taking steps towards information disclosure and countermeasures.

Yusuke Kubo, Kiyohito Yamamoto

Lies, Telephony, and Hacking History

Ground Floor ~ 11:30am — 12:15pm

Who’s ready for some “Show & Telecom”? This talk takes attendees on a historic retrospective journey through time. Learn when Social Engineering first intersected with Technology, following previous advancements in Telecommunications. Our expedition highlights the technological origins of Phone Phreaking, Computer Hacking, Social Engineering, and how these activities relate to modern times. The speaker brought numerous hardware relics from the past to show the crowd throughout this presentation. Come learn about what the underground phone phreak and early computer hacker scenes were like before there was a Cybersecurity industry and associated career paths.

Matt Scheurer

Breaking In: Unleashing the Power of Physical Offensive Security

Proving Ground ~ 12:00pm — 12:25pm

Do you know SPY×FAMILY? It is Japanese anime in which a brilliant SPY plays an active role. The SPY can easily infiltrate a company building. But in fact, even if you’re not that skilled of a SPY, you can easily infiltrate.

Physical security is often overlooked when companies consider cybersecurity. Insufficient physical security measures allow attackers to physically intrude into restricted areas and even break into cyberspace by hacking LAN ports in offices. And indeed we were able to conduct evaluations against several companies and subsequently break into their corporate networks and take files that imitated confidential information.

In this presentation, we will explain and demonstrate attack methods such as intruding into a building by impersonating an external company, breaking through security gates by duplicating RFID using the latest technology, and bypassing MAC address filtering by LAN port hacking. We hope to help the audiences understand how easy physical attacks are and to help companies strengthen their physical security measures.

Barry O’Callaghan, Tetsuya Takaoka

The Telenovela of Latin America Banking Trojans: A Dramatic story about Cybercrime

Ground Floor ~ 2:00pm — 2:45pm

Get ready for a thrilling ride as we dive into the Telenovela of Banking Trojans! This talk is not your average cybersecurity talk, it’s a drama-filled story of bad threat actors and their relentless attacks.

Join us as we uncover the twists and turns of one of the most insidious threats to the world of cybercrime. We’ll be exploring the dramatic rise of Latin American banking malware families and how it’s making its way across the world.

We’ll delve into the anatomy of some malware families, and their sneaky modus operandi, and explain why they’re so darn hard to get rid of. Think of it like trying to get rid of a bad ex, except this one is actually damaging your bank account.

As the world battles with cybercrime, banking trojans have emerged as one of the most persistent threats. So, grab some popcorn and join us for this riveting drama of cybercrime.

Cybelle Oliveira

Hungry, Hungry Hackers: A Hacker’s Eye-view of the Food Supply

I Am The Cavalry ~ 2:00pm — 2:45pm

(ALSO AT DEFCON 31)

Sick Codes has dazzled Hacker Summer Camp and the world for the last few years — most recently with last year’s Doom on a Deere. His last several years of research and engagement with the food supply and it’s vulnerable equipment extends beyond tractors. He will share some of what he has found, how others can get involved, and some of the increasing risks and stakes for the food we put on our table. This hacker perspective will feed into the subsequent session that will further cultivate the risks to the larger food supply ecosystem.

Sick.Codes

Unveiling the Hidden: Discovering RDP Vulnerabilities using PDF Files

Breaking Ground ~ 2:30pm — 2:50pm

In our latest research, we explored innovative approaches in uncovering security vulnerabilities within the RDP protocol. Rather than leveraging the conventional reverse engineering tools, we exclusively utilized Open-Source Intelligence (OSINT) techniques, leading us to discover significant security shortcomings, including instances of remote code execution, as well as bypasses of security mechanisms. Our presentation will introduce the RDP protocol and its various use cases, in addition to detailing the motivations behind our adoption of an unconventional research methodology. We will delve into how protocol specifications, open-source implementations, and other publicly accessible resources can be used to reveal hidden vulnerabilities. We will give a comprehensive overview of the vulnerabilities discovered and an in-depth analysis of the most significant ones.

Dor Dali

Social Engineering: Training The Human Firewall

Ground Truth ~ 2:30pm — 2:55pm

Phishing is one of the leading cyber attacks worldwide, resulting in numerous social engineering training exercises to train average users to defend against these attacks. This discussion focuses on research that took a pool of users with three different phishing campaigns, each of these campaigns focused on a different threat. The purpose of the study is to find the psychological reasoning as to why users click phish. The results will teach the audience how to measure risk, improve security education, and understand the users in their business.

Reanna Schultz

Building Your Own AI Platform and Tools Using ChatGPT

Ground Truth ~ 3:00pm — 3:45pm

Artificial Intelligence (AI) is taking the world by storm. There seem to be so many new platforms popping up daily. AI platforms for red and blue teams already exist, but are they custom tailored to your organization’s environment? If not, then maybe it is time to create your own.

This talk explores the basics of creating your own AI platform using TensorFlow and how it gives adversaries an advantage in the AI sphere. Topics covered will be the use and benefits of using TensorFlow, collecting, cleaning, and training the data using modeling algorithms, working with TensorFlow .H5 files and bringing everything together into a basic working platform using a command-line interface (CLI). Working with additional .H5 files to test data sets to add to the platform will also be included. Pre-made tools will be demonstrated if time and technology restraints allow for it. If you are interested in learning about building your own AI platforms and learning the basic steps and components involved in creating your own, then this talk is for you.

Peter Halberg

The Importance of Engineering Privacy From the Get Go

Ground Floor ~ 3:30pm — 3:50pm

The software we build has a human impact even if at surface level it doesn’t seem that way. We as engineers are the stewards of our users’ data so it’s important to know how users are expecting us to protect their identity because it is the right thing to do even if it takes a little more time and effort to build in. This talk will cover the current challenges to securing user data and provide tips on how to protect it.

Christina Liu

The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency tree

Underground ~ 4:00pm — 4:45pm

How wide can a GitHub Actions worm spread? In this talk, I’ll demonstrate how a worm can crawl through actions and projects, infecting them with malware. We will explore the ways in which actions are loosely and implicitly dependent on other actions, and create a graph-based dependency tree for GitHub actions. This map will set the path for our worm, that is searching its way to infecting as many action dependencies and target as many GitHub projects as possible. Join this talk to learn about the methods our worm uses to make its way towards other actions, to get familiar with the high profile open source projects we could hijack, and to see this worm in action over a demo.

Asaf Greenholts

Water, Water Everywhere: The Krakens, Kelpies, and Mermaids in today’s Water Sector

I Am The Cavalry ~ 5:00pm — 6:00pm

Water is life…and increasingly exposed to accidents and adversaries. There are over 150,000 water systems in the United States alone. Further, water is critical path for the resilient functioning of Health, fossil and nuclear power plants, food production, living populations. Dean will be discussing some of the existing security challenges of the water system, and how they can impact other critical infrastructure sectors.

Dean Ford

Password911: Authentication Adventures in Healthcare

PasswordsCon ~ 5:00pm — 5:45pm

Healthcare is a tricky field when it comes to cyber security. It’s a bad day if your anesthesiologist gets locked out of their account mid-surgery. Likewise, when you have a medical emergency halfway around the world you might not be in any condition to give local caregivers authentication credentials. This talk will cover some of the challenges with providing authentication in clinical settings as well as current approaches to tackling this issue.

Matt Weir

Hiding in Plain Sight — The Untold Story of Hidden Vulnerabilities

Breaking Ground ~ 6:00pm — 6:45pm

In today’s software development landscape, vulnerability scanners and SCA tools play a vital role in identifying potentially vulnerable software components and mitigating associated risks. However, their effectiveness remains questionable due to differences in implementation, coverage, and performance, as well as inherent blindspots that make them oblivious to critical vulnerabilities in real-world scenarios.

In this talk, we will present the results of a groundbreaking benchmark and root cause analysis research that evaluated leading commercial and open-source vulnerability scanners and SCA tools. We will showcase the main causes of scanner misidentifications, including blindspots created by common build and deployment practices, and thousands of hidden vulnerabilities we identified in real-world applications, many of which are known to be exploited in the wild.

Our findings expose a significant gap in the effectiveness of these tools and raise awareness about the need for objective evaluation criteria. Attendees will leave with a better understanding of the limitations of vulnerability scanners and SCA tools, as well as the importance of adopting more holistic approaches to software security.

Yotam Perkal, Ofri Ouzan

How to have perfect vulnerability reports and still get hacked

Common Ground ~ 6:00pm — 6:45pm

What vulnerabilities are really lurking in a given application? The assumption that we can answer that question undergirds US government mandates both recent and decades-old. Hackers, of course, know that this is absurd: attackers have 0days and aren’t afraid to use them. But even a much-humbler goal, “free of known vulnerabilities,” isn’t as feasible as we’ve been led to believe. In this talk, we’ll see the pitfalls of common tools — software composition analysis (SCA) and software bills of material (SBOMs) — commonly brought up as silver bullets for this issue. We’ll see the vulnerability reporting ecosystem, including databases and manual triage of vulnerabilities in your application.

Nonetheless, we’re hopeful: these tools are stronger together and can do a good job in many scenarios. Further, we’ll see what the future holds for bringing us closer to “free of known vulnerabilities” status, from open-source tooling to better government policy.

Attendees to this session will learn about:

  • automated security tools that miss what’s right in front of them,
  • empirical research exposing vulnerability management challenges,
  • the fight against security by obscurity, and
  • the daily commitment to keep applications free of known vulnerabilities.

Zachary Newman, Luca Guerra

Public Service Journeys (To and From Hacking Culture)

I Am The Cavalry ~ 6:00pm — 6:45pm

From an Air Force combat pilot into the loving arms of the helpful hacker community and ultimately co-founding the Aerospace village, “Spanky” has found common cause and common purpose with this motley crew and community… From an intern and Cavalry Force of Nature organizing the first Congressional Delegation to Hacker Summer Camp, Ayan is now serving in the White House Office of National Cyber Director (ONCD). These journeys and pathways both run through the mission of I am the Cavalry, the Aerospace Village, and culminated in intense collaboration in the CISA COVID Taskforce. Part of the strength of this decade of making the world a safer place draws from the diversity of skills and experiences.

Our differences have made us stronger and we have asked these two to reflect on their origin stories and different teammates and skills that have helped to protect the public.

Steve Luczynski, Ayan Islam

WEDNESDAY, AUGUST 9TH

Generative AI: The Three Concerns Problem

KEYNOTE ~ Breaking Ground ~ 9:30am — 11:15am

When it comes to GenAI and LLMs, there are three concerns and three corresponding opportunities.

Reknowned security researcher and executive Sounil Yu discusses solving for all three of these concerns, and provides specific frameworks and models that allow us to understand the necessary guardrails for each.

Sounil Yu

Management Hacking 102: Personalities, Empathy, and Difficult Conversations

Hire Ground ~ 10:30am — 11:15am

Why do some employees act and communicate very differently than others? Could you have been more empathetic with a challenging employee? How does your team deal with change and why do we avoid difficult conversations? No matter how long you’ve been a leader, eventually you’ll be faced with these situations and unfortunately they don’t get any easier to deal with.

Last year in Management Hacking 101 we discussed the fundamentals of managing and leading teams such as coaching, hiring, evaluating performance, and understanding emotional intelligence. In this talk we’ll dive deeper into four of the most important areas that all leaders need to know more about: understanding the personalities, relationships, and motivations of our employees, how we can be more empathetic with the people we lead, guiding employees through the change cycle, and how to have difficult conversations.

Join Tom Eston, VP of Consulting & Cosmos at Bishop Fox, as he shares his personal lessons and stories from years of leading teams on these topics so you can become a better manager and leader.

Tom Eston

The Birds, the Bees, and the CVEs: Understanding the Novel Vulnerabilities in Critical Infrastructure

Proving Ground ~ 10:30am — 10:55am

During this talk, Iain Deason will describe the difficulties and the techniques used to understand the impact of product vulnerabilities to different sectors to critical infrastructure. When new and novel vulnerabilities are disclosed, especially in control systems and medical devices, it can be difficult for asset owners to understand the potential impacts to the larger ecosystem or the affected critical infrastructure sector. The audience can learn of different strategies that have been utilized to understand the risk with new and novel vulnerabilities and potentially a new perspective on when vulnerabilities enter the ecosystem and coordinated vulnerability disclosure.

Iain Deason

The British are Coming! (To Talk IOT Secure By Design)

I Am The Cavalry ~ 10:45am — 12:05pm

Representatives from the UK will be present to discuss the Department for Science, Innovation & Technology: Major Goals: -positioning the UK at the forefront of global scientific and technological advancement -driving innovations that change lives and sustain economic growth -delivering talent programmes, physical and digital infrastructure and regulation to support our economy, -security and public services

  • R&D funding

Jen Ellis (+2 UK folks), Jen Ellis

The Brazillian DeepWeb. How Brazilian fraud groups work on Telegram and WhatsApp

Proving Ground ~ 11:45am — 11:20am

Many investigative agents talk about cybercrime on Deep and Darkweb, but in Brazil the reality is a little different. The study shows an insight into how groups act, the main scams and especially how the use of counterintelligence can help in gathering information about targets.

Thiago Bordini

Mainframe Hacking for CICS and Giggles

Breaking Ground ~ 11:30am — 12:15pm

Mainframe systems continue to drive global economic activity despite the “legacy” label they are often associated with. In fact, mainframes are responsible for business-critical functions across 70 percent of Fortune 500 companies. If you have ever withdrawn cash at an ATM, done your taxes online, or booked a flight for your next holiday, you have likely interacted with a mainframe application. As with all business-critical systems, ensuring they are secure is imperative. This talk is designed for anyone interested in the security of these mainframe applications.

We will go over how mainframe systems work, why they are so important, how the applications work, how they are used, and how the researchers were able to exploit a number of vulnerabilities in real world mainframe applications.

Jay Smith, Jan Nunez

Overcoming Barriers in Security DSLs with BabbelPhish: Empowering Detection Engineers using Large Language Models

Ground Truth ~ 12:00pm — 12:20pm

The rise of detection-as-code platforms has revolutionized threat detection, analysis, and mitigation by leveraging domain-specific languages (DSLs) to streamline security management. However, learning these DSLs can be challenging for new detection engineers.

In this talk, we introduce BabbelPhish, an innovative approach utilizing large language models to bridge the gap between natural language queries and security DSLs. We demonstrate its application to MQL, Sublime Security’s free DSL for email security, and its potential extension to other DSLs. BabbelPhish enables users to harness the full potential of detection-as-code platforms with familiar natural language expressions, facilitating seamless transitions from triage to querying and coding.

We will discuss BabbelPhish’s architecture, training process, and optimization techniques for translation accuracy and MQL query validity. Through live demonstrations and user interviews, we will showcase its real-world applications and implementation options, such as a VSCode plugin.

Join us as we explore how large language models can integrate natural language capabilities with the precision of security DSLs, streamlining security management and threat hunting, and making detection-as-code platforms accessible to a wider range of security professionals.

Bobby Filar

Home Labs for fun and !profit (Put your home lab on your resume!)

Hire Ground ~ 1:30pm — 2:15pm

Oh sure, you read all those posts about “My Home Lab” with all the pictures of 19” racks in a garage or basement. But seriously, how can you truly utilize your home lab, not just to learn, but to boost your career and help you get noticed as being that “Unique Individual” that a company really wants to hire!

Come join this talk to learn about building a Home Lab on a budget AND using it to really get ahead. Your lab should be an advantage and a fun learning experience without breaking the bank. Let’s build some systems, run some demos and see how to use all of this to NAIL that next job interview!!

Kat Fitzgerald

How I Met Your Printer

PasswordsCon ~ 2:00pm — 2:45pm

Often on penetration tests I encounter printers. Lots of printers. The smarter the printer the more likely I’ll gain access to your entire organization by making it do things that will make your IT admins gasp in fear! Come watch as I demonstrate how you too can get your printers to give up all of its secrets.

Tom Pohl

Gang Gang: Assembling and Disassembling a Ransomware Gang

Underground ~ 2:00pm — 2:45pm

Ever wonder what goes into a ransomware gang startup? Take this trip with me as I share with you my journey into the ransomware world. Listen to how I struggled to gain acceptance, engaged in a small romance and worked my way up the wobbly ladder.

Ms.Harb

Cognitive Security and Social Engineering: A Systems-Based Approach

Ground Truth ~ 3:00pm — 3:45pm

Cognitive Security is differentiated from more traditional security domains in three ways. First, cognitive security is concerned with protecting cognitive systems not necessarily humans; second, cognitive security considers multiple dimensions of system interaction, and third cognitive security considers multiple scales of operation. Adopting a “systems” perspective considers the interconnectedness of system elements, the function of the system, and scalability; systems-of-systems which may result in one system influencing another. This can be problematic from a security perspective because an effect might be induced in one system that causes an effect in another system, without the effected having visibility into the original cause. Three scales of engagement: the tactical level (single engagements), the operational level (multiple engagements), and the strategic level (traditional security concerns in addition to political and economic levers); combed with an extended OSI Model which includes Layers 8, 9, and 10 to describe human factors, describes a full stack for cognitive security. In order to successfully launch a cognitive attack, threat actors must achieve the objectives of four phases of a Cognitive Security Attack Cycle: Collection, Preparation, Execution, and finally Exploitation. Each phase of the implies points of vulnerability at which an attack might be disrupted.

Matthew Canham

Hunting Cryptoscam Twitter Bots: Methods, Data & Insights

Underground ~ 3:00pm — 3:45pm

“Having issues with your crypto wallet? send a DM! contact us at legit-wallet-supp0rt@gmail.com!” This is the kind of message anyone mentioning specific crypto-brands in a tweet is receiving. Our talk will deep dive into the bots spreading these fraudulent tweets and its operators. We will use a dataset collected over several months to educate about what triggers bots and deduce about the infrastructure behind it. We will also demonstrate how this data can be used effectively to not only hunt bots at scale but also detect unknown trigger-words and monitor fraud trends (guess for example what happened after certain exchanges collapsed?). As a bonus, we will share our multiple correspondences with fraudsters, pretending to be “innocent victims” and how we leveraged social engineering to track them down.

Gal Bitensky

Playing Games with Cybercriminals

Ground Truth ~ 5:00pm — 5:45pm

Up to this point in time, the primary law enforcement strategy used to fight cybercrime has been the “hammer”. Given a core function of policing has been to arrest criminals, it is no surprise that offenders involved in digital crimes like hacking, online fraud and malware have also faced prosecution. Alongside arrests, has been the takedown of cybercriminal infrastructure, such as marketplaces or botnets. This has been carried out by law enforcement, with industry also playing a role. But questions have been raised about the long-term impact of such operations, and whether new players or infrastructure simply emerge with the cybercrime threat continuing unabated, or even growing.

This talk moves beyond the law enforcement hammer, and examines whether there are softer approaches which might also be used to reduce the threat of cybercrime. In particular, it focusses on the underlying economics of cybercrime and the levers which could be pulled to damage the efficiency of cybercriminal markets and disrupt illegal operations. In short, can law enforcement, and their partners in industry, play games with cybercriminals?

Jonathan Lusthaus

It’s not the end of the world but you can see it from here.

Underground ~ 5:00pm — 5:45pm

I will discuss real-world equipment hacks caused by nation-state actors attacking humans and ways to mitigate similar impacts. Examples will cover a range of laboratory equipment, including research labs and industrial manufacturing facilities. In this talk, we will explore the common causes of laboratory and OT equipment breaches caused by human error, including misconfiguration, misuse, and malicious actions. We will examine the potential consequences of such failures, including data loss, damage to equipment, and even injury. I will also present a range of strategies for preventing such issues, including implementing standard operating procedures with a security focus, using equipment monitoring systems, and adopting best practices for equipment architecture.

Nathan Case

From Bug Bounty Hunter to Program Operator: A Guide to Building Successful Bug Bounty Programs

Common Ground ~ 5:30pm — 5:50pm

Managing a successful bug bounty program requires a distinct set of skills and perspectives. For those experienced in bug hunting, transitioning to a program operator role might be a natural progression. In this talk, we will delve into the challenges and advantages of making this switch, using real-world examples and personal experiences.

We will begin by highlighting the key differences between the roles, such as moving from hunting bugs to overseeing program management and collaborating with security researchers. We will also explore the essential knowledge and skills needed for success in this role, including vulnerability management, effective communication, and designing program incentives.

Drawing from my experience as both a bug bounty hunter and program operator, I will share valuable insights and best practices for creating and managing successful bug bounty programs. We will discuss crucial aspects such as defining program scope, implementing efficient triage and remediation processes, and devising incentives that foster ethical behavior and high-quality submissions.

Lastly, we will examine the benefits of having experience in both roles, such as a deeper understanding of security researchers’ motivations and techniques, and the ability to apply this knowledge to develop more effective and streamlined programs.

Griffin

Oops, I Leaked It Again — How we found PII in exposed RDS Snapshots

Breaking Ground ~ 6:00pm — 6:45pm

The Amazon Relational Database Service (Amazon RDS) is a Platform-as-a-Service (PaaS) that provides a database platform based on a few optional engines (e.g., MySQL, PostgreSQL, etc.).

A Public RDS snapshot is a useful feature that allows a user to share public data or a template database to an application, but when wrongly used, may accidentally leak sensitive data to the world, even when using highly secure network configuration.

We at Mitiga, discovered hundreds of databases being exposed monthly, with extensive Personally Identifiable Information (PII) leakage.

In this talk we cover the main aspects of RDS snapshots and how easy it is to accidentally expose sensitive data widely to the world. Our research process is based on extensive investigation of the RDS service, its configurations, and limitations.

In the session the participants will get relevant knowledge about RDS snapshots, including real-life examples of the risk of using this service, and recommendation of how to prevent, detect and remediate the risk of accidentally sharing RDS snapshots publicly. We will share an in-depth description of our automated process, which includes procedures to constantly monitor for public snapshots, and remove any if found.

Ariel Szarf, Doron Karmi

For Intel and Profit: Exploring the Russian Hacktivist Community

Underground ~ 6:00pm — 6:45pm

It is not common for analysts to have the opportunity to study the social circles of criminal organizations, but occasionally, a threat group that is more transparent than others emerges. Since the Russian invasion of Ukraine, the security community has had the opportunity to examine several threat groups that are part of the growing Russian hacktivist community, gaining valuable insight into the structure, operations, relationships, and connections between its members and the community around them. These interactions over the last year have taught us about the social and financial backing of the Russian hacktivist community and shown us what the future of hacktivism will look like.

Daniel Smith, Pascal Geenens

Trusted Devices: Unlocking a Password Manager without a password

PasswordsCon ~ 6:00pm — 6:45pm

We had a major challenge at 1Password. Our customers wanted to use their single sign-on providers to log in to 1Password. But logging in to a password manager means deriving decryption keys . How do you get a decryption key from an SSO sign-in?

Rick van Galen, James Griffin

What the Yandex Leak Tells Us About How Big Tech Uses Your Data

Common Ground ~ 6:30pm — 6:50pm

(ALSO AT DIANA INITITIVE & BLACK HAT USA)

In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex’s behavioral analytics technology. While there has been lots of speculation about what big tech companies can do with the massive amounts of data they collect, this is the first time outsiders have been able to peek behind the curtain to confirm it, and what we’ve found is both fascinating and deeply unsettling.

Kaileigh McCrea

--

--

DCG 201
DCG 201

Written by DCG 201

North East New Jersey DEFCON Group Chapter. Dirty Jersey Represent! We meet at Sub Culture once a month to hack on technology projects! www.defcon201.org

No responses yet