HACKER SUMMER CAMP 2024 GUIDES — Part Fourteen: Black Hat USA 2024
Welcome to the DCG 201 Guides for Hacker Summer Camp 2024! This is part of a series where we are going to cover all the various hacker conventions and shenanigans both In-Person & Digital! This year in 2024 we have completely lost our minds and thus we will have a total of 18 guides spanning 3 months of Hacker Insanity!
As more blog posts are uploaded, you will be able to jump through the guide via these links:
HACKER SUMMER CAMP 2024 — Part One: Surviving Las Vegas & Virtually Anywhere 2024
HACKER SUMMER CAMP 2024 — Part Two: Capture The Flags & Hackathons
HACKER SUMMER CAMP 2024 — Part Three: Design Automation Conference #61
HACKER SUMMER CAMP 2024 — Part Four: ToorCamp 2024
HACKER SUMMER CAMP 2024 — Part Five: LeHack 20th
HACKER SUMMER CAMP 2024 — Part Six: HOPE XV
HACKER SUMMER CAMP 2024 — Part Seven: SummerCon 2024
HACKER SUMMER CAMP 2024 — Part Eight: DOUBLEDOWN24 by RingZer0
HACKER SUMMER CAMP 2024 — Part Nine: TRICON & REcon 2024
HACKER SUMMER CAMP 2024 — Part Ten: The Diana Initiative 2024
HACKER SUMMER CAMP 2024 — Part Eleven: Wikimania Katowice
HACKER SUMMER CAMP 2024 — Part Twelve: SquadCon 2024
HACKER SUMMER CAMP 2024 — Part Thirteen: BSides Las Vegas 2024
HACKER SUMMER CAMP 2024 — Part Fourteen: Black Hat USA 2024
HACKER SUMMER CAMP 2024 — Part Fifteen: DEFCON 32
HACKER SUMMER CAMP 2024 — Part Sixteen: USENIX Security Trifecta 2024
HACKER SUMMER CAMP 2024 — Part Seventeen: HackCon 2024
HACKER SUMMER CAMP 2024 — Part Eighteen: SIGS, EVENTS & PARTIES
BLACK HAT USA 2024
Date: Saturday, August 3th (8:00 AM PST) — Thursday, August 8th (6:00 PM PST)
Website: https://www.blackhat.com/us-24/
Location: Mandalay Bay Convention Center (3950 Las Vegas Blvd. South Las Vegas, Nevada 89119)
Black Hat USA Android App: https://play.google.com/store/apps/details?id=com.swapcard.apps.android.blackhat&hl=en_US&gl=US
Black Hat USA iOS App: https://apps.apple.com/us/app/black-hat-events/id1521865489
Platform(s): Black Hat USA CISO Summit as well as the Main Conference including Briefings, Arsenal, the Business Hall, and more, will take place on the Swapcard Virtual Event Platform. Black Hat USA Trainings will be taught online on the GoToTraining virtual classroom platform..
Schedule: https://www.blackhat.com/us-24/schedule.html
Live Streams:
Youtube (KEYNOTES): https://www.youtube.com/user/BlackHatOfficialYT
CyberRisk TV: https://scmagazine.com/blackhat
NOC: https://www.twitch.tv/blackhatnoc
— Dark Reading —
Wednesday: https://www.youtube.com/watch?v=6Fn0gR-qX5w
Chat: TBA
Accessibility: Only registered attendees will be able to view the Briefings (Talks) and Workshops attendance not only have a price tag but are filled in by a case-to-case basis. Virtual Business Pass is free and gets you access to the rest of the convention including the Business Hall, Arsenal, Contests, Sponsored Talks and more. See deals for In-Person Vegas later in this guide.
Tickets: https://www.blackhat.com/us-24/registration.html
Code Of Conduct: https://www.blackhat.com/code-of-conduct.html
From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry.
Now in its 27th year, Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas with a 6-day program. The event will open with four days of specialized cybersecurity Trainings (August 5–10), with courses for all skill levels. The two-day main conference (August 9–10) will feature more than 100 selected Briefings, dozens of open-source tool demos in Arsenal, a robust Business Hall, networking and social events, and much more!
Continuing it’s organizational structure since the 2020 Pandemic Lock-down, the Black Hat hybrid event experience in 2023 offers the cybersecurity community a choice in how they wish to participate. They will host both an in-person experience in Las Vegas and a virtual experience online. When you purchase a Briefings Pass, you can select whether to attend in-person or online.
If you choose the Virtual Only Briefings Pass, you will have access to all the online and recorded Briefings Sessions, Sponsored Sessions, Arsenal Demos and the Business Hall. You will also have access to the recorded sessions for 30 days after the event.
If you choose the In-Person Briefings Pass you will have access to BOTH the in-person Briefings, Sponsored Sessions, Arsenal Demos and the Business Hall activities in Las Vegas, AND access to all the online sessions, including online access to the recordings for 30 days after the event.
This is the BIG corporate convention of the Information Security world. Very suit and tie, bring your resume, talking about numbers and projections type of convention. Get use to hearing the words “cyber”, “mitigation”, “”deployment” “corporate”, “blockchain” and “pipeline” being thrown around like candy on Halloween without eye roll. Attendees will also introduce them selves with their job title and workplace as if they are their last names.
We are happy that the accessibility options of attending in-person or virtually online from last year has returned. From the Business Pass being completely free, reduced (but still expensive for Blue Collar prices) and various way to interact these inclusive elements has put the convention back on our radar. If you want to network and rub shoulders with the InfoSec big leagues (or to land a job), this is the convention that will be on your priority list!
PHYSICAL LOCATION RECON
LOWER LEVEL
FLOOR 1
FLOOR 2
FLOOR 3
BRIEFINGS PASSES
Briefings Dates: Wednesday, August 7 — Thursday, August 8
There are 2 different Briefings Pass options for 2024.
OPTION 1 — IN-PERSON EVENT at Mandalay Bay Convention Center, Las Vegas, NV
- Includes access to all in-person Briefings, Arsenal Demos, Business Hall Activities & Sessions and more
- Also includes ALL ON-DEMAND benefits listed in Option 2 below
OPTION 2 — ON-DEMAND ACCESS
- Available online one week after live event: August 16 — September 16, 2024
- Includes access to all recorded Briefings, Arsenal Presentations, Business Hall Activities & Sessions and more
REGISTRATION HOURS
Main Registration: Level One — Bayside Foyer
- Saturday, August 3: 7:30 AM — 4:00 PM
- Sunday, August 4: 8:30 AM — 4:00 PM
- Monday, August 5: 7:30 AM — 5:00 PM
- Tuesday, August 6: 8:00 AM — 8:00 PM
- Wednesday, August 7: 7:30 AM — 6:00 PM
- Thursday, August 8: 8:00 AM — 4:00 PM
Satellite Registration: Mandalay Bay Hotel Lobby/Across from Hazel Lounge
- Monday, August 5: 1:00 PM — 5:00 PM
- Tuesday, August 6: 8:00 AM — 10:00 PM
- Wednesday, August 7: 7:30 AM — 1:00 PM
TRAINING PRICES
Training Dates: Saturday, August 3 — Tuesday, August 6
Please check individual Training description pages for Training prices and dates.
In-person Training includes full access to the Black Hat Business Hall on August 7–8. All Pricing is in US Dollars (USD), pricing does not include applicable local taxes.
BUSINESS PASSES
Business Hall Dates: Wednesday, August 7 — Thursday, August 8
There are 2 different Business Pass options for 2024.
OPTION 1 — IN-PERSON EVENT at Mandalay Bay Convention Center, Las Vegas, NV
- Includes access to all Business Hall Activities, Arsenal Demos, Sponsored Sessions and more
OPTION 2 — ON-DEMAND ACCESS available online
- Available online one week after live event: August 16 — September 16, 2024
- Includes online access to the On-Demand Business Hall, Arsenal Demos, Sponsored Sessions, Sponsored Workshops, and more.
REGISTRATION TERMS & CONDITIONS
You agree to our Terms and Conditions when you register online through our website.
GROUP DISCOUNT
Group Registration discounts are available for groups of six or more attendees registered and paid at the same time. Please see below for Group Registration pricing details:
If you are interested in receiving a group discount, please contact bhgroupregistration@informa.com to request a group form or inquire about the group registration process.
Registration Policies: Cancellations, Substitutions & Changes
- Full payment must be received prior to group members obtaining their badges onsite.
- Discount applies to the In-Person Briefings pass only.
- Black Hat group registration discounts apply for 6 or more new Briefings or Trainings and Briefings registrations.
- Group discount cannot be combined with any other offers or promotions, including the alumni rate.
- Paid registrants who cancel and do not substitute another person will receive a refund less a $300 processing fee if notification is submitted in email to bhgroupregistration@informa.com on or before July 12, 2024.
- If you have already registered and paid your registration in full, you are not eligible for a discount if your organization also submits and qualifies for a group registration at a later date. You may cancel your registration, minus a $300 processing fee, by July 12, 2024 if you wish to partake in your organization’s group registration.
- All Fees are non-refundable after July 12, 2024.
- Trainings are filled on a first come first paid basis.
- DEF CON tickets are non-refundable, once purchased.
QUESTIONS OR CONCERNS?
All inquiries, correspondence and issues related to conference registration should be directed to Black Hat via email at blackhatregistration@informa.com or call +1.415.947.6846 or toll free (within USA) +1.866.203.8081 Monday — Friday 9:00 AM — 4:00 PM PT.
ATTEND BLACK HAT CHEAP-AS-FREE!
This year thanks to the hybridization, there is some amazing discounted and FREE options available for those of us hackers who want to rub shoulders (6 feet apart of course) with the dapper folks without breaking our already sparse checking accounts.
In-Person Business Passes is $749 (Increased to $799 After August 4th) this year and the Online Business Pass is FREE. With a Business Pass, access the Keynote, the Business Hall and a number of Features, including Arsenal, Sponsored Sessions, Passport to Prizes, and more. In addition, more features such as the Keynotes & Briefings will open up a week later on August 16th!
Interested in attending Black Hat USA? EFF supporters attending in-person can get $200 off briefing tickets by using the code “EFF2024” when registering online.
DEF CON REGISTRATION
DEF CON is a hacker convention which takes place immediately following Black Hat in Las Vegas every year.
Upon purchase of IN-PERSON Black Hat Briefings and/or Trainings passes, each registrant will also have the option to purchase a single (1) advance ticket to DEF CON 2024, at a rate of $480 per ticket, one ticket purchase per person, up until the close of “Late” registration on August 2, 2024 at 11:59 PM PT.
DEF CON tickets will not be sold on-site at Black Hat USA. After August 2, 2024, DEF CON tickets are only available for purchase at DEF CON during their ticket sales window at Las Vegas Convention Center. Please visit defcon.org for further information.
Please note, you must first register and pay for your IN-PERSON Black Hat Training/Briefings pass in order to purchase a DEF CON ticket.
- Black Hat Business Pass Only registrations do not qualify for the DEF CON ticket add-on
- Black Hat Virtual and On-Demand passes do not qualify for the DEF CON ticket add-on
DEF CON tickets are non-refundable and non-transferrable once purchased. When you check in at Black Hat, if you have purchased a DEF CON ticket, a DEF CON symbol will be printed on your Black Hat badge. You will need to present your Black Hat badge on Thursday of the event, as verification of your DEF CON ticket purchase and to receive your ticket.
DEF CON badges purchased through Black Hat will be available for pick-up at the Mandalay Bay Convention Center, Mandalay Bay Ballroom Foyer, Level 2 on Thursday, August 8, 2024 at 7:00 AM — 4:00 PM.
- Step 1: Attendees will present their Black Hat badge with DEF CON symbol to staff.
- Step 2: Your badge will be hole punched as proof of pick-up.
- Step 3: Staff will hand you your badge.
ON-DEMAND & VIRTUAL PLATFORM RESOURCES
Black Hat USA 2024 will offer an on-demand and virtual component. We have provided information and resources below to make your experience at Black Hat a successful one. Please contact Black Hat Registration with any questions or for more information.
When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.
Please note that your event login information will come in an email from
Sender: “Black Hat USA <hello@swapcard.com>”
You should add hello@swapcard.com to your allowed email list to ensure receipt of your login details.
CREDENTIALS
You can access the Swapcard platform directly at login.swapcard.com.
There you can log in by entering the email you used to register for Black Hat USA and creating a password. If you’ve forgotten your password, click on “Send me a magic link” to receive an email to reset your password.
SETTING YOUR PROFILE VISIBILITY
Your profile will be automatically created in Swapcard using the information you supplied when you registered for the event.
You have the option to connect with other attendees and sponsors, just as you would at a live event.
Once you’ve logged into the platform, click on the “Attendee” tab. On the left side of the page, look for the “Visibility” setting to turn your Profile visibility on or off. You may change this setting at any time.
SESSIONS
Learn how to access sessions and content:
NETWORKING
Learn how to network with other attendees:
INTERACTING
Learn how to find virtual exhibit booths:
STAY CONNECTED
In addition to all of the chat and networking opportunities within GoToTrainings and Swapcard, you can stay up-to-date and join the conversations on social media by following and tweeting @BlackHatEvents, using the hashtags #BlackHat, BlackHatUSA, BlackHat2024, #BlackHat23, #BHUSA and #BHTrainings.
TRAININGS VIRTUAL PLATFORM (AUGUST 3— AUGUST 8)
All Black Hat USA Trainings listed as Virtual will be taught live online via Zoom. Sessions will not be recorded. All courses are presented in Pacific Time (GMT/UTC -7h). Please email blackhatregistration@informa.com if you have any additional questions.
ON-DEMAND PLATFORM (AUGUST 16 — SEPTEMBER 18)
Black Hat USA programs and features including Briefings, Arsenal, Sponsored Sessions & Workshops, the Business Hall, and more will be record on-site in Las Vegas and then made available on-demand on the Swapcard Platform. The on-demand platform content will be available one week after the in-person event. All paid pass holders will receive an email with a link directing to a login page where you can create a password for accessing the on-demand platform.
MAIN CONFERENCE PLATFORM (AUGUST 7 & 8)
Black Hat USA Main Conference including Briefings, Arsenal, the Business Hall, and more, will take place on the Swapcard Virtual Event Platform. When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.
BOOKSTORE
August 5–8 | Breakers Registration Desk, Level 2
Come by the official bookstore at the Breakers Registration Desk, Level 2 and browse the latest titles in security. Several authors will be signing copies of their authored books. (Books are available for purchase.) Brought to you by Professional Programs Bookstore.
Bookstore Hours:
- Monday, August 5: 8:00 AM — 6:00 PM
- Tuesday, August 6: 8:00 AM — 6:00 PM
- Wednesday, August 7: 7:30 AM — 6:00 PM
- Thursday, August 8: 8:00 AM — 6:00 PM
Book Signings:
- Tuesday, August 6:
- Chris Castaldo at 11:00–11:20 AM
- Wednesday, August 7:
- Adam Shostack at 11:00–11:20 AM
- Stephanie & Chris Domas at 12:00–12:20 PM
- Thursday, August 8:
- Joseph Cox at 11:00–11:20 AM
- Mikko Hypponen at 1:00–1:20 PM
DAY CARE
Black Hat is excited to partner with leading childcare provider Kiddie Corp to offer Black Hat attendees’ access to an on-site children’s program.
The Kiddie Corp program is for children ages 6 months through 12 years old and will be located within the Mandalay Bay Convention Center. If you have a child under 6 months or over 12 years of age accommodations can be made with show management approval.
Currently, childcare is available on the dates & times below:
- Tuesday, August 6: 8:00 AM — 6:00 PM
- Wednesday, August 7: 8:00 AM — 6:00 PM
- Thursday, August 8: 8:00 AM — 6:00 PM
Advance registration is recommended. Availability is limited and handled on a first-come, first-served basis. Although every effort will be made to accommodate on-site registrations, there is no guarantee.
Click Here to Learn More and Register
MERCHANDISE STORE
Get your Black Hat-branded T-shirts, jackets, mugs, and more at the Black Hat Merchandise Store located on Level 2. Purchases can be made with any major credit or debit card. Brought to you by Moxie Promo.
Merchandise Store Hours:
- Monday, August 5: 8:00 AM — 6:00 PM
- Tuesday, August 6: 8:00 AM — 6:00 PM
- Wednesday, August 7: 7:30 AM — 6:00 PM
- Thursday, August 8: 8:00 AM — 6:00 PM
MOBILE APP
The Black Hat Events mobile app allows you to build your schedule, connect with other attendees, navigate the venue, browse sponsor profiles, and discover a lot more about the event. You can download the mobile app for IOS or Android by searching “Black Hat Events” or visit page.swapcard.com/app/black-hat-events.
Be sure to turn on notifications to know when attendees are reaching out to you in real-time. For IOS, you can manage notifications within the app settings. For Android, you can manage the notifications on the phone settings within notifications settings.
MOTHERS ROOM (ALSO SINGLE DADS AND PARENTS)
A private nursing mothers is available on Level 3 of the Mandalay Convention Center, in the Jasmine 1 Registration Office on Trainings & Briefings days, August 3–8.
ON-DEMAND ACCESS
August 14 — September 16, 2024 | Swapcard
All Black Hat USA 2024 attendees will have on-demand online access to the programs included in their paid pass one week after the in-person event. On-demand access is provided through our Swapcard platform and will be available August 14 — September 16, 2024.
On-demand includes access to all recorded Briefings, Arsenal Tool Demos, Sponsored Sessions & Workshops, Business Hall Activities, and more.
PRAYER ROOM
A private prayer room is available on Level 3 of the Mandalay Convention Center, in the Jasmine 2 Registration Office on Trainings & Briefings days, August 3–8. The room will remain unlocked throughout the event and no reservation or notice is required for its use.
BRICKS & PICKS
August 7–8 | Business Hall
Visit Bricks & Picks to delight your creative & playful side with a gigantic pile of genuine LEGO bricks or attempt your skills in the world of physical security with locks in varying degrees of difficulty!
This Black Hat program features brick building activities such as a Black Hat branded mosaic wall build as well as lock-picking activities from beginning to advanced. Both activities will feature competitions with prizes throughout the day.
The lockpicking area in Bricks & Picks will provide valuable insights into the world of physical security and help attendees better understand the risks associated with physical security threats. By exploring vulnerabilities in various types of locks and the techniques used to bypass them, participants will be introduced to the hidden flaws in many physical security products. Participants will leave this activity space with more dynamic and innovative ways to approach security concepts and look at ubiquitous hardware in unconventional ways. By shining a spotlight on the topic of lockpicking, we hope to raise awareness of the importance of physical security and help attendees think more creatively about the ways in which to protect their assets.
Bricks is hosted by BrickNerd — your source for all things LEGO and the AFOL (Adult Fans of LEGO) community and Picks in partnership with Red Team Alliance.
BLACK HAT STARTUP SPOTLIGHT COMPETITION
The Black Hat Startup Spotlight is back for Black Hat USA 2024! This Black Hat special event is a video pitch competition for cybersecurity startup companies to present their products and solutions in front of a live audience at Black Hat USA.
Create and submit your 5-minute video using the Form below, calling out your company’s competitive advantages of the product or solution and how it will help cybersecurity pros. Products and solutions can be in development, about to launch or in the recently launched phases.
FINALISTS
Congratulations to our Top 4 Finalists:
COMMUNITY SESSIONS
& MEETUPS
Open to all pass types, the Community Sessions and Meetups encourage collaboration amongst attendees and presenters. Covering everything from personal digital resilience to mentorship and career-building strategies, attend the Black Hat Community Sessions and Meetups to interact with topic experts and peers alike.
Decrypting Careers: Navigating Paths in Security and Privacy
Naila Browne | Associate Director, IT Security Compliance, Guidehouse
Sara Partida | Chief Privacy and Technology Counsel, Wynn Resorts
Stephanie Schneider | Cyber Threat Intelligence Analyst, LastPass
John Stoner | Cybersecurity Consultant
Chenxi Wang | General Partner, Rain Capital
Date: Wednesday, August 7 | 10:20am-11:20am ( Lagoon G, Level 2 )
Tracks: Community Sessions, Diversity & Inclusion
Join Women in Security and Privacy (WISP) for an insightful panel discussion featuring distinguished experts in privacy and information security. Our panelists will unravel their unique career journey, sharing pivotal experiences, and offering practical advice for advancing in these ever-evolving fields.
But the learning doesn’t stop there! Following the enlightening panel, you’ll have the exclusive opportunity to network with industry leaders and peers to exchange ideas, discuss career goals, and form valuable connections within the security and privacy community.
Don’t miss this chance to expand your network and gain insights that can propel your career forward. Secure your spot and be part of a transformative experience that could shape the trajectory of your career!
All on “Board” for AI — Communicating Cyber Risk of New Technology to the Board
Jon France | CISO, ISC2
Edward Farrell | CISSP, SSCP, Board of Directors, ISC2
Date: Wednesday, August 7 | 1:30pm-2:10pm ( Lagoon G, Level 2 )
Track: Community Sessions
As AI technology continues to proliferate at an unprecedented pace, businesses across the globe are rushing to adopt the emerging technology. Although AI promises many benefits, including automating repetitive tasks, analyzing user behavior patterns, monitoring network traffic for signs of malware and predicting areas of weakness in the IT estate — there is a lack of understanding of the associated risks and consequences that it could bring to the core business among cybersecurity professionals and board members.
With AI as an example of rapid technology adoption without a real understanding of its impact, this presentation will highlight the urgent need to communicate cyber risk effectively to the board. ISC2 CISO Jon France and ISC2 Board Member Edward Farrell will share research-based insights, as well as discuss actionable strategies to bring back to your organization to help strengthen your communication around cyber risk and create a more safe and secure digital future in the wake of emerging technology.
The Hack@DAC Story: Learnings from Organizing the World’s Largest Hardware Hacking Competition
Arun Kanuparthi | Principal Engineer, Offensive Security Researcher, Intel Corporation
Hareesh Khattri | Principal Engineer, Offensive Security Research, Intel Corporation
Jason Fung | Senior Director, Offensive Security Research & Academic Research Engagement, Intel Corporation
Jeyavijayan JV Rajendran | Associate Professor, Texas A&M University
Ahmad-Reza Sadeghi | Professor, TU Darmstadt
Date: Wednesday, August 7 | 1:30pm-2:10pm ( Jasmine AE, Level 3 )
Format: 40-Minute Briefings
Tracks: Community & Career, Hardware / Embedded
In this talk, we will share our insights and learnings from organizing Hack@DAC, a hardware hacking competition that hosted over 1000+ researchers over the last seven years. We discuss how Hack@DAC is unique when compared against other hardware CTFs. We highlight the value of organizing a hardware CTF for the general security community. Specifically, we highlight key takeaways for industry, academia, and security researchers.
There has been a significant spike in the number of hardware vulnerabilities and cross-layer attacks in recent years, leading to increased interest and focus in this area. However, unlike software/ firmware domains, there are very few open hardware designs that detail known vulnerabilities and their mitigations. Hack@DAC CTF offers an open-source hardware design (along with a simulation environment) that mirrors the security features and weaknesses commonly seen in system-on-chip designs. Such Hardware CTFs enable academic participants to gain a deeper appreciation of the challenges involved in detecting and preventing vulnerabilities in industrial-scale designs. More importantly, CTFs help participants learn, practice, and share key skills and best practices with one another. By encouraging the formation of teams between individuals with diverse skillsets, varying levels of expertise, and across organizational boundaries, CTFs offer a great community-building experience.
Next, we explain the strategies we followed to organize the competition over the last seven years and the differences when organizing a CTF for hardware vs software targets. This includes insights into how we choose the target design for the competition, how security features are added, and how vulnerabilities are inserted. We describe the two phases of the competition: an initial phase where teams get to familiarize themselves with the design and a final phase where top-performing teams are invited to do harder tasks in less time. We then share the impact the competition has had on the security research community in general.
Climb the Mountain Together: To Build an Inclusive Space in CyberSecurity with WiCyS
Lynn Dohm | Executive Director, Women in Cybersecurity (WiCyS)
Date: Wednesday, August 7 | 3:00pm-4:00pm ( Lagoon BH, Level 2 )
Track: Meetups
Join Women in CyberSecurity (WiCyS) for a meetup with WiCyS Executive Director Lynn Dohm. The ever-evolving landscape of cybersecurity continues to have significant demands on the workforce. Learn more about the WiCyS mission to recruit, retain, and advance women in cybersecurity. Come to learn, network, and grab some WiCyS swag.
Infosec Bloopers
Dominic White | Ethical Hacking Director, Orange Cyberdefense
Marianka Botes | Security Consultant, Orange Cyberdefense’s SensePost Team
Date: Wednesday, August 7 | 3:20pm-4:00pm ( Lagoon A, Level 2 )
Track: Meetups
Let’s be honest, everyone makes mistakes. Whether they are big or small, it’s important that we use them as a learning opportunity. But that doesn’t mean that we can’t joke or laugh about them! Looking back at mistakes allows us to grow, to become more confident in our work and inhibit Imposter Syndrome.
Come connect with other security professionals in this light-hearted meet-up and share some of the infosec bloopers you have experienced or come across in your career.
NOTE: In order to create an open and candid environment that promotes the sharing of ideas and discussion, this session will follow Chatham House Rule; neither media nor event coverage is permitted.
Queercon Mixer
Date: Wednesday, August 7 | 4:30pm-6:00pm ( Community Lounge, Business Hall )
Tracks: Community Lounge, Diversity & Inclusion
Black Hat is excited to host Queercon, the largest social network of LGBTQIA+ hackers from around the world, at Black Hat USA 2024. Queercon will host a networking reception on Wednesday, August 7 in the Community Lounge, in the Business Hall at the Mandalay Bay Convention Center in Las Vegas. Queercon continues to focus on outreach to the LGBTQIA+ community within the IT Security and Hacker Spaces. Click here to learn more.
Security Champions Meetup
Anant Shrivastava | Founder, Cyfinoid Research
Tanya Janca | Head of Community and Education, Semgrep
Kymberlee Price | Founder & CEO, Zatik Security
Dustin Lehr | Co-Founder / Chief Product & Technology Officer, Katilyst
Date: Thursday, August 8 | 10:20am-11:00am ( Lagoon G, Level 2 )
Track: Community Sessions
The role of security champions once started out as members from Dev or Ops teams, who were interested in security concepts and efforts to help the two teams connect better. This bridge role has evolved over time, from a purely technical role, to requiring champions to become well versed in different backgrounds and working styles of the teams they are supporting. Organizations often push to build security champion programs, but are not always achieving the success they desire, and often don’t understand why.
Join us for an informal conversation about the benefits and struggles of security champions. Hear from our esteemed panelists, who have been carefully selected from a pool of practitioners who have been in the thick and thin of champion programs that have been successful, as well as those which have failed.
Come to this session with your real-life questions and worries, and our experts will help you navigate the turbulent waters.
How Hackers Changed the Media (and the Media Changed Hackers)
Sherri Davidoff | CEO, LMG Security
Lorenzo Franceschi-Bicchierai | Senior Writer/Editor, Cybersecurity, TechCrunch
Robert McMillan | Reporter, The Wall Street Journal
Sadia Mirza | Partner, Troutman Pepper
Date: Thursday, August 8 | 10:20am-11:00am ( Oceanside A, Level 2 )
Format: 40-Minute Briefings
Track: Community & Career
Cyber extortion gangs routinely send journalists (often unsolicited) details about their hacks, victims, and leaked information, hoping that their exploits will make the news and damage victims’ reputation. Journalists, in turn, are placed in a tricky situation, balancing the need to report accurate and true events with the ethics of empowering criminals. In today’s mature hacker economy, some gangs have developed formal media and PR programs (such as the BlackMatter gang, which invited journalists to register on their platform in order to get early notification of data breaches, and direct access to “ask questions and get information from the primary source.”)
Victims, too, manipulate the media when hacks and data breaches occur — often blaming nation-state actors, leveraging PR templates or selectively revealing details. How can journalists report the truth, while not empowering criminals? In this panel, seasoned Wall Street Journal reporter Robert McMillan will share his experiences talking with hackers and victims alike, how they attempt to manipulate journalists, and key strategies that he employs to ensure that articles are fair and accurate. We’ll also hear from journalists who routinely share screenshots and details from hackers — a different media strategy that also comes with the need for careful screening and ethical considerations by journalists. Along the way, we’ll discuss issues such as speed to publication, authentication of materials, corrections, vetting sources, and the victim perspective. Takeaways for the audience will include: strategies for talking to the press, benefits and drawbacks of sharing the victim perspective, and common mistakes to avoid when talking (or not talking) to the media.
Gatebreaking the Gatekeeping: Women in Cybersecurity
Lynn Dohm | Executive Director, Women in Cybersecurity (WiCyS)
Quintana Patterson | Cybersecurity and Technology Manager, Women in Cybersecurity (WiCyS)
Date: Thursday, August 8 | 11:20am-12:00pm ( Community Lounge, Business Hall )
Tracks: Community Lounge, Diversity & Inclusion
The Women in CyberSecurity (WiCyS) State of Inclusion benchmark report illuminates women’s experiences of exclusion that contribute to a “glass ceiling” at six to ten years of their careers. Instead of continuing to talk about diversifying the workforce, let’s have an open discussion about the specific barriers and actionable steps needed to overcome the challenges of retention in the workplace. This session will shed light on how women perform in their cybersecurity practitioner roles utilizing insights from the N2K NICE assessment tool. Turns out the data on the reality of women’s capabilities in cybersecurity is the key to gatebreaking the gatekeeping of women to advance and excel in their careers.
Hoodies Off! A 360-Degree Perspective on the Challenges and Solutions Facing Cyber Communities, One Byte at a Time
Jen Winters | Chief Operation Officer, Pacific Hackers Association
Marco Palacios | President, Pacific Hackers Association
Rod Soto | Co-Founder, Hackmiami and Pacific Hackers Association
Date: Thursday, August 8 | 1:30pm-2:10pm ( Community Lounge, Business Hall )
Tracks: Community Lounge, Diversity & Inclusion
Rapid innovation, complex threats, and diverse challenges mark the cybersecurity landscape. As an industry, we don’t find this news; it is our life. This panel session brings together unique perspectives from women, underserved populations, and veterans to explore perceptions and perspectives on the multifaceted issues faced within the hacker and cyber communities with solutions to address them. From the hacker’s viewpoint to the vendor’s role and the executive’s responsibility, our experts will delve into the importance of community building and un-siloing information. This session aims to equip attendees with diverse perspectives and actionable strategies to enhance their roles and contributions to cybersecurity. Alone, we are all strong, together we are unstoppable! www.pacifichackers.org
Sober in Cyber Community Meetup
Jennifer VanAntwerp | Founder, Sober in Cyber
Date: Thursday, August 8 | 1:30pm-2:10pm ( Lagoon A, Level 2 )
Tracks: Healthy Activities, Meetups
Are you sober, sober-curious, or interested in learning more about Sober in Cyber’s events and activities?
Join founder Jen VanAntwerp and members of the Sober in Cyber community for an in-person meet-up and networking event. The cybersecurity industry has plenty of alcohol-centric events, and Sober in Cyber aims to provide alternative options and inclusive networking opportunities for the infosec community. Sober in Cyber events are open to ALL, whether you’re sober or just looking to take a break from alcohol-fueled events.
Come network with like-minded individuals and pick up some sweet Sober in Cyber swag!
BLACK HAT USA 2024 SUMMMITS
This year, Black Hat USA will feature FOUR Major Summits, Two Classics and Two New Ones (Including a gank from DEF CON that is now being traded for the Pwnie Awards) and two Micro-Summits! Due to the crazy scheduling, the master schedule for all of them is here:
THE AI SUMMIT AT BLACK HAT USA
TUESDAY, AUGUST 6, 2024
MANDALAY BAY, LAS VEGAS, NV
SOUTH PACIFIC F, LEVEL 0
You’re invited to attend The AI Summit at Black Hat USA 2024.
2023 saw artificial intelligence explode into the mainstream and land firmly on the boardroom agenda. Today, it’s clear that no AI implementation can truly be successful without understanding, and preparing for, the myriad cybersecurity implications.
On the flip side, in the ever-evolving cybersecurity landscape, where threats mutate faster than ever and defenses struggle to keep pace, AI is an organization’s newest and greatest weapon.
We are therefore delighted to announce that this year, The AI Summit will join the schedule at Black Hat USA. The AI Summit’s presence in 2024 is not just fitting, it’s essential.
WHY ATTEND?
At this one-day Summit, you can expect to hear from technical experts, industry leaders and security tsars covering three key areas:
- The use of AI in cybersecurity products and solutions
- Securing AI applications and models within the enterprise
- The use of AI in cyber attacks
We’ll be exploring innovative strategies, learning about cutting-edge technologies, and engaging in hands-on practical sessions designed to give you a comprehensive understanding of the potential risks, challenges and opportunities associated with AI and cybersecurity.
Since 2016, The AI Summit Series has gathered top executives and investors with technology vendors and data specialists from across the globe to network, learn and forge partnerships for the successful implementation of AI technology in enterprises.
Now in its ninth year, this conference & expo has firmly established itself at the heart of the AI-for-business community, running shows in London, New York, Singapore, and for the first time in 2024 at Black Hat USA.
“Fantastic conference to meet the great people who are at the forefront of technological change. Great to meet clients and new people from various backgrounds.”
- Tom Allen, Founder, The AI Journal
INNOVATORS & INVESTORS SUMMIT AT BLACK HAT USA
TUESDAY, AUGUST 6, 2024
MANDALAY BAY, LAS VEGAS, NV
OCEANSIDE BC, LEVEL 2
You’re invited to apply to attend the Innovators & Investors Summit at Black Hat USA 2024.
The Black Hat Innovators & Investors Summit brings together leading entrepreneurs, investors, CISOs, and forward-thinking industry front-liners to focus on the latest market trends including M&A, startup valuations, and technology innovation designed to address the cyber startups’ most important challenges. Innovation, and accelerating trailblazing startups through investment, is the best way to outpace cyber-criminals and counteract today’s ever evolving threat landscape. This full-day summit offers attendees the opportunity to gain market insights, exchange ideas, and develop new relationships for scaling businesses and creating deal flow.
Offered the day before the main Black Hat USA Briefings sessions, the Innovators & Investors Summit is the place to be for those in the cyber community who are looking for innovative approaches and groundbreaking ideas to startup investment. The summit will conclude with the Startup Spotlight Competition, where four startup finalists will pitch their product/service to win it all — live before summit attendees. Register today to have an opportunity to secure your seat. Note, attendance for this summit is based on a pre-approval process to help foster the most dynamic and engaging interactions possible.
BLACK HAT CISO SUMMIT
TUESDAY, AUGUST 6, 2024
FOUR SEASONS, LAS VEGAS, NV
FOUR SEASONS BALLROOM, LEVEL 2
The Black Hat CISO Summit is an approval-only event during Black Hat USA which brings together top security executives from global corporations and government agencies for a full day of unique discussions. Offered the day before the main Black Hat USA Briefings sessions, the CISO Summit is intended to give CISOs and other InfoSec executives leading-edge insight into the latest security trends, technologies, and enterprise best practices.
The cost to attend includes Business Hall Access during Black Hat USA on Aug 7 and 8.
Due to limited space, Black Hat Management will review all applications. Notification of application status will be sent within 30 days of application.
- Please note: In order to create an open and candid environment that promotes the sharing of ideas and discussion, the CISO Summit will follow Chatham House Rule; neither media nor event coverage is permitted. This program was designed for executive security practitioners; solution providers and vendor attendees are limited to event sponsors.
Omdia Analyst Summit
TUESDAY, AUGUST 6, 2024
MANDALAY BAY, LAS VEGAS, NW
OCEANSIDE D, LEVEL 2
You’re invited to apply to attend the Omdia Analyst Summit at Black Hat USA 2024.
The fourth annual Omdia Analyst Summit returns to Black Hat USA featuring the industry’s leading cybersecurity analysts. This year the Summit will focus on platforms and reducing complexity — understanding the pros and cons of security platforms, how they’re evolving, and how risk is being leveraged.
Join the 2024 Omdia Analyst Summit at Black Hat USA to explore the decisions that CISOs and their teams are taking around reducing complexity, and where vendors and service providers can help.
INDUSTRIAL CONTROL SYSTEMS (ICS) MICRO SUMMIT
Thursday, August 8, 10:20 AM — 2:10 PM
Oceanside D
Industrial organizations are rapidly digitalizing their environments to meet business goals, enhancing the productivity and efficiency of operations. However, these business decisions must be considered and carefully managed with a cybersecurity lens. This event explores the business view of digital transformation, assessing and providing insights into how cybersecurity can be incorporated and carefully balanced. Experts will detail how organizations will need to approach risk assessment and management with this in mind, mitigating, accepting and transferring risk in some instances to insurance. Alongside this business focus, the ICS summit will explore the cybersecurity implications of connectivity, with a focus on the benefits and challenges of deploying and layering Industrial IoT (IIoT) with OT networks.
CYBER INSURANCE MICRO SUMMIT
Wednesday, August 7, 1:30–5:00 PM
Oceanside D
At this exclusive Cyber Insurance Summit, you’ll connect with industry pioneers, risk analysts, and insurance innovators, discussing pivotal risk transference areas for the community:
- Insurance providers are adapting to mitigate emerging risks, safeguarding businesses against financial losses.
- How the landscape is changing for cyber insurance, how claims are being dealt with and right-sizing premiums.
- Data analytics and risk assessment methodologies, quantifying and mitigate cyber risks, and informed underwriting decisions.
Join us as we navigate through practical solutions, examine key industry trends, and engage with leading experts to deepen your understanding of the evolving cyber insurance landscape, equipping you with the knowledge and strategies to thrive in today’s digital risk environment.
NETWORK OPERATIONS CENTER (NOC)
The Black Hat Network Operations Center (NOC) provides a high security, high availability network in one of the most demanding environments in the world — the Black Hat event. This is accomplished with the help of best of breed solutions providers and seasoned security and engineering teams led by Black Hat’s esteemed NOC Team Leads. Together this team provides the security, stability, and visibility of a world-class enterprise network. Each year this hand-selected team meets months before Black Hat to incorporate the latest infrastructure and security solutions into a workable network design. The team reconvenes just days before Black Hat for a compressed deployment of a network that must be operational for the opening day of the event. Black Hat attendees can visit the NOC for a glimpse into this state-of-the-art network. The Black Hat NOC program is a testament to engineering know-how and teamwork.
Live Stream Hours
- Monday, August 5 — Thursday, August 8: 9:00 AM — 6:00 PM
NOC Presentations
- Wednesday, August 7:
10:20 AM — 10:50 AM in Lagoon G, Level 2
4:45 PM — 5:35 PM in Business Hall Theater E - Thursday, August 8:
10:20 AM — 10:50 AM in Lagoon G, Level 2
2:35 PM — 3:25 PM in Business Hall Theater E
NOC Visiting Hours (Surf EF, Level 2)
- Saturday, August 3: 9:00 AM — 7:00 PM
- Sunday, August 4: 9:00 AM — 6:00 PM
- Monday, August 5: 9:00 AM — 6:00 PM
- Tuesday, August 6: 9:00 AM — 6:00 PM
- Wednesday, August 7: 9:00 AM — 6:00 PM
- Thursday, August 8: 9:00 AM — 6:00 PM
The 10th Annual Black Hat USA Network Operations Center (NOC) Report
Neil Wyler | Vice President of Defensive Services, Coalfire
Bart Stump | Managing Principal, Coalfire
Date: Thursday, August 8 | 3:20pm-4:00pm ( Oceanside A, Level 2 )
Format: 40-Minute Briefings
Tracks: Network Security, Application Security: Defense
Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled, and entertained, year after year. We’ll let you know all the tools and techniques we’re using to set up, stabilize, and secure the network, and what changes we’ve made over the past year to try and keep doing things better. Of course, we’ll be sharing some of the more humorous network activity and what it helps us learn about the way security professionals conduct themselves on an open WiFi network.
BLACK HAT DAY ZERO
KICK OFF YOUR #BHUSA 2024 EXPERIENCE
TUESDAY, AUGUST 6, 3:00 PM — 5:00 PM
OCEANSIDE A, LEVEL 2
Join us for a networking and preview reception to kick off your Black Hat experience, build out your schedule, and connect with like-minded members of the cyber community.
Whether you are a first-time or long-time Black Hat attendee, we invite you to join us at Day Zero!
WHY ATTEND?
- Network with key community members and attendees while enjoying refreshments, games, and raffles.
- Learn more about this year’s latest hacks, research, demos, and features you can expect to see and experience at Black Hat USA 2024, including:
- Black Hat Arsenal
- Autonomous Zone
- Association Partners
- Bricks & Picks
- Briefings Program and Speakers
- Career Exploration
- Community Programming and Diversity & Inclusion Efforts
- Influential Cybersecurity Experts
- Dark Reading
- Black Hat Review Board
- Black Hat Network Operations Center (NOC)
- Scholarship Opportunities
- Volunteering at Black Hat
ARSENAL
August 7–8, 2024
Arsenal brings together researchers and the open-source community to showcase their latest open-source tools and products in an open, conversational, and virtual environment where presenters are able to interact with the attendees.
Arsenal is now featuring the Lab at all regional events. The Arsenal Lab is an interactive, hands-on environment designed for hacking enthusiasts of all skill-level to learn about specialized tools and targets that may be difficult to access otherwise. Join our industry experts to discover new skills or take existing skills to the next level.
ARSENAL @ BLACK HAT USA 2024 HIGHLIGHTS:
Stowaway: Multi-hop Proxy Tool for pentesters
Date: Wednesday, August 7 | 10:00am-11:00pm ( Arsenal On-Demand )
Tracks: Network Attacks, Exploitation and Ethical Hacking
Session Type: Arsenal
Stowaway is a multi-level proxy tool written in the go language and designed for penetration testers and security researchers. Attackers can use Stowaway to construct their own tree network in a highly restricted intranet environment so that the attacker’s external traffic can reach the core network through the layers of proxies of multiple Stowaway nodes. While breaking through network access restrictions, Stowaway can also help attackers hide their own traffic and better lurk in the intranet. In addition, attackers can also use the terminal interface and various auxiliary functions provided by Stowaway to more easily manage the entire tree network and improve the efficiency of penetration testing.
CodeHawk Binary Patcher: High Assurance Binary Patching Without a Reverse Engineer
Michael Gordon
Henny Sipma
Ben Karel
Date: Wednesday, August 7 | 10:10am-11:20am ( Business Hall — Arsenal Station 3 )
Tracks: Reverse Engineering, Vulnerability Assessment
Session Type: Arsenal
The CodeHawk Binary Patcher (CBP) project is a partnership between MIT
CSAIL and Aarno Labs with the goal of democratizing binary
patching. The project focuses on 1) drastically reducing the time to
understand and patch stripped binaries, and 2) providing provable
assurance results that demonstrate whether a patch has been correctly
applied to fix a vulnerability or bug while maintaining correct
behaviors.
The process begins with an abstract interpretation based analysis on
the binary that extracts facts about the binary at each
instruction. The analysis is scalable, having been demonstrated to
successfully analyze huge binaries (e.g., the Linux Kernel). CBP
produces an editable lifting of the binary represented in the C
programming language. An operator without reverse engineering
experience will then directly edit the C code representation, and CBP
can enact those changes on the binary using the provenance information
produced along with the lifting, without recompiling the binary.
After a patch has been produced, CBP runs a suite of checkable
relational analyses that provide information about how the patched
binary differs from the original, enabling an operator to quickly
decide if the patch is correct. Furthermore, CBP provides checkable
proofs as evidence that its transformations are correct, and for
certain important types of memory vulnerabilities, can prove that a
patch fixes the vulnerability. This entire workflow is available as in
a GUI plugin to the Binary Ninja platform.
CBP is built on top of CodeHawk’s open-source binary analysis,
developed over the past 10 years through DARPA and IARPA funding
(STONESOUP, MUSE, HACCS, STAC, and AMP).
CBP has been independently demonstrated in the DARPA’s Assured
Micro-Patching (AMP) evaluations to drastically reduce the time, cost,
and risk of binary patching, providing intuitive and provable
assurance results of a binary patch.
RedCloud OS : Cloud Adversary Simulation Operating System
Yash Bharadwaj
Manish Kumar Gupta
Date: Wednesday, August 7 | 10:10am-11:20am ( Business Hall — Arsenal Station 5 )
Tracks: Exploitation and Ethical Hacking, Network Attacks
Session Type: Arsenal
RedCloud OS is a Debian based Cloud Adversary Simulation Operating System for Red Teams to assess the security of leading Cloud Service Providers (CSPs). It includes tools optimised for adversary simulation tasks within Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Enterprises are moving / have moved to Cloud Model or Hybrid Model and since security testing is a continuous procedure, operators / engineers evaluating these environments must be well versed with updated arsenal. RedCloud OS is an platform that contains:
- Custom Attack Scripts
- Installed Native Cloud Provider CLI
- 25+ Multi-Cloud Open-Source Tools
- Tools Categorization as per MITRE ATT&CK Tactics
- Support Multiple Authentication Mechanisms
- In-Built PowerShell for Attacking Azure Environment
- Ease to configure credentials of AWS, Azure & GCP & much more…
Inside each CSP, there are three sub-categories i.e, Enumeration, Exploitation, and Post Exploitation. OS categorises tools & our custom scripts as per the above mentioned sub-categories.
RF Hacking on the Road: Logging Tire Sensors
Date: Wednesday, August 7 | 10:10am-11:40am ( Business Hall — Arsenal Lab )
Track: Arsenal Lab
Session Type: Arsenal
Build an SDR-based scanner to log transmissions from tire sensors!
Nearly every tire on every vehicle produced the last few decades contains a digital radio with a unique signature. By scanning, receiving, and logging these Tire Pressure Monitor (TPM) sensor transmissions, you can essentially fingerprint individual tires. Such a TPM logger allows you to determine information about when and how often unique vehicles pass through a given location. You can also extract some information on the make of each vehicle and a rough estimate of its year of manufacture.
In this lab, you’ll learn how and when TPM sensors transmit their data and how you can capture and log their communications. You’ll then put together some Python code blocks to build a simple, SDR-based logger and test it on real TPM sensors.
Some Call Me TIM: A Novel, Lightweight Triage and Investigation Platform
Date: Wednesday, August 7 | 11:25am-12:35pm ( Business Hall — Arsenal Station 2 )
Tracks: Data Forensics/Incident Response, Network Defense
Session Type: Arsenal
SOC anaylsts, threat hunters, and detection engineers have the same core challenge: how can I triage and/or investigate suspicious activity, at scale, while ensuring that all of the work I do goes back into the system to improve future outcomes? TIM is a novel, lightweight triage and investigation platform that enables analysts of all types — SOC, TI, etc. — to quickly pivot and curate relevant events across any kind of data source in comfortable, unintrusive interface. Powered by AGGrid, TIM gives analysts the ability to own their workflows and open up avenues to collaboration that don’t exist in the market today.
Hacking generative AI with PyRIT
Date: Wednesday, August 7 | 12:40pm-1:50pm ( Business Hall — Arsenal Station 6 )
Tracks: OSINT — Open Source Intelligence, Cryptography
Session Type: Arsenal
In today’s digital landscape, generative AI (GenAI) systems are ubiquitous, powering everything from simple chatbots to sophisticated decision-making systems. These technologies have revolutionized our daily interactions with digital platforms, enhancing user experiences and productivity. Despite their widespread utility, these advanced AI models are susceptible to a range of security and safety risks, such as data exfiltration, remote code execution, and the generation of harmful content. Addressing these challenges, PyRIT (Python Risk Identification Toolkit for generative AI), developed by the Microsoft AI Red Team, stands out as a pioneering tool designed to identify these risks associated with generative AI systems.
PyRIT empowers security professionals and machine learning engineers to proactively identify risks within their generative AI systems, enabling the assessment of potential risks before they materialize into real-world threats. Traditional methods of manual probing for uncovering vulnerabilities are not only time-consuming but also lack the precision and comprehensiveness required in the fast-evolving landscape of AI security. PyRIT addresses this gap by providing an efficient, effective, and extensible framework for identifying security and safety risks, thereby ensuring the responsible deployment of generative AI systems. It is important to note that PyRIT is not a replacement for manual red teaming of generative AI systems. Instead, it enhances the process by allowing red team operators to concentrate on tasks that require greater creativity. PyRIT helps to assess the robustness of these generative AI models against different responsible AI harm categories such as fabrication/ungrounded content (e.g., hallucination), misuse (e.g., bias), and prohibited content (e.g., harassment).
By the end of this talk, you will understand the presence of security and safety risks within generative AI systems. Through demonstrations, I’ll show how PyRIT can effectively identify these risks in AI systems, including those based on text and multi-modal models. This session is designed for security experts involved in red teaming generative AI models and for software/machine learning professionals developing foundational models, equipping them with the necessary tools to detect security and safety vulnerabilities.
Key Features of PyRIT include:
1. Scanning of GenAI models utilizing prompt injection techniques.
2. Support for various attack strategies, including single-turn and multi-turn engagements.
3. Compatibility with Azure OpenAI LLM endpoints, enabling targeted assessments. Easy to extend to custom targets.
4. Prompt Converters: Probe the GenAI endpoint with a variety of converted prompts (Ex., Base64, ASCII).
5. Memory: Utilizes DuckDB for efficient and scalable storage of conversational data, facilitating the storage and retrieval of chat histories, as well as supporting analytics and reporting.
Snapback: Wicked Fast HTTP(S) Screenshots with Automated Password Guessing
Date: Wednesday, August 7 | 1:55pm-3:10pm ( Business Hall — Arsenal Station 2 )
Tracks: Vulnerability Assessment, Web AppSec
Session Type: Arsenal
Web applications with weak or default passwords are a common easy win for penetration testers. Frequently, network appliances expose a web application for device management that IT staff are not aware of, and therefore never lock down. The only problem for penetration testers is the time it takes to sift through hundreds or even thousands of web interfaces to find ones with weak credentials. This process is usually performed by first taking screenshots of each web service, and then manually searching for the default credentials for each one and manually attempting each credential pair. To greatly speed up the process, Snapback was designed to automatically fingerprint and brute force passwords while taking each screenshot. All of the fingerprinting and brute forcing code is modular, allowing easy extension for newly identified services.
Network Monitoring Tools for macOS
Date: Wednesday, August 7 | 3:15pm-4:20pm ( Business Hall — Arsenal Station 1 )
Tracks: Malware Defense, Network Defense
Session Type: Arsenal
As the majority of malware contains networking capabilities, it is well understood that detecting unauthorized network access is a powerful detection heuristic. However, while the concepts of network traffic analysis and monitoring to detect malicious code are well established and widely implemented on platforms such as Windows, there remains a dearth of such capabilities on macOS.
Here, we will present various tools capable of enumerating network state, statistics, and traffic, directly on a macOS host. We will showcase open-source tools that leverage low-level APIs, private frameworks, and user-mode extensions that provide insight into all networking activity on macOS:
Specifically we’ll demonstrate:
* A network monitor that allows one to explore all network sockets and connections, either via an interactive UI, or from the commandline.
* A DNS monitor that uses Apple’s Network Extension Framework to monitors DNS requests and responses directly from the Terminal.
* A firewall that monitors and filters all network traffic, giving users with the ability to block unknown/unauthorized outgoing connections.
Traceeshark — Interactive System Tracing & Runtime Security using eBPF
Date: Wednesday, August 7 | 4:25pm-5:35pm ( Business Hall — Arsenal Station 3 )
Tracks: Data Forensics/Incident Response, Malware Defense
Session Type: Arsenal
Traceeshark brings the world of Linux runtime security monitoring and advanced system tracing to the familiar and ubiquitous network analysis tool Wireshark.
It is now possible, using Wireshark, to record an immense variety of system events using Aqua Security’s eBPF based runtime security tool Tracee, and analyze them interactively.
Tracee is a runtime security and forensics tool for Linux, utilizing eBPF technology to trace systems and applications at runtime, analyze collected events to detect suspicious behavioral patterns, and capture forensics artifacts. Up until now, a typical workflow using Tracee involved running Tracee from the CLI, perform some activity, stop Tracee, dump its logs to a file, and analyze the file using command line tools or scripting languages. Analyzing packets captured by Tracee was done separately, and in general the entire process was very manual.
Now, events generated by Tracee can be analyzed interactively using Wireshark’s advanced capabilities, which include interactive filtering, displaying statistics and performing advanced data aggregations. Traceeshark also provides the ability to capture events using Tracee directly from Wireshark and have them stream in like a network capture. Another game-changing feature is the ability to analyze system events side by side with network packets generated by Tracee that contain rich context about the system process and container they belong to.
The combination of Tracee’s wide use in the security industry and its advanced system tracing and forensic capabilities, together with Wireshark’s universal popularity in the entire IT industry, its maturity and ease of use, opens up a whole new world of capabilities for dynamic malware analysis, forensics, kernel hacking and more.
Damn Vulnerable UEFI (DVUEFI): An Exploitation Toolkit and Learning Platform for Unveiling and Fixing UEFI Firmware Vulnerabilities
Stanislav Lyakhov
Mickey Shkatov
Date: Thursday, August 8 | 10:10am-11:20am ( Business Hall — Arsenal Station 9 )
Tracks: Exploitation and Ethical Hacking, Vulnerability Assessment
Session Type: Arsenal
Inspired by projects such as Damn Vulnerable Web Application and OWASP’s Damn Vulnerable Web Sockets, Damn Vulnerable UEFI (DVUEFI) is designed to help guide ethical hackers, security researchers, and firmware enthusiasts in getting started with UEFI firmware security, by facilitating the exploration of vulnerabilities by example. The DVUEFI project is engineered to simulate real-world firmware attacks, offering an environment for practicing and refining exploitation techniques. DVUEFI is accompanied by a robust, continuously evolving catalog of documented UEFI vulnerabilities. Each entry is detailed with exploitation methods, potential impacts, and strategic mitigation recommendations, serving as both a learning tool and a reference for security practitioners.
CVE Half-Day Watcher: Hunting Down Vulnerabilities Before the Patch Drops
Date: Thursday, August 8 | 11:25am-12:35pm ( Business Hall — Arsenal Station 9 )
Tracks: Vulnerability Assessment, OSINT — Open Source Intelligence
Session Type: Arsenal
Defenders and attackers often simplify vulnerabilities into ‘0-day’ or ‘1-day’ categories, neglecting the nuanced gray areas where attackers thrive. In this session, we’ll explore critical flaws we’ve uncovered in the open-source vulnerability disclosure process and introduce our tool to detect open-source projects that are at risk from these flaws. We’ll reveal how vulnerabilities can be exploited prior to receiving patches and official announcements, posing significant risks for users. Our comprehensive analysis of GitHub (including issues, pull requests, and commit messages) and NVD metadata will illuminate vulnerabilities that don’t neatly fit into the conventional ‘0-day’ or ‘1-day’ classifications but instead fall into ‘Half-Day’ or ‘0.75-Day’ periods — moments when vulnerabilities are known but not yet fully disclosed or patched. Furthermore, we’ll spotlight the techniques employed to identify these vulnerabilities, showcasing various scenarios and vulnerabilities discovered through this method. During this session, we’ll introduce an open-source tool designed to detect such vulnerabilities and emphasize the window of opportunity for attackers to exploit this information and develop exploits. Our objective is to aid practitioners in identifying and mitigating issues throughout their vulnerability disclosure lifecycle.
Open Source LLM Security
Date: Thursday, August 8 | 11:25am-12:35pm ( Business Hall — Arsenal Station 7 )
Tracks: Exploitation and Ethical Hacking, OSINT — Open Source Intelligence
Session Type: Arsenal
Akto’s Open Source LM Security tool will solve the following problems
- Prompt Injection Vulnerabilities
- Overreliance on LLM Outputs
- Insecure Output handling in LLMs
- Sensitive data exposure via LLMs
On average, an organization uses 3+ LLM models. Often most LLMs in production will receive data indirectly via APIs. That means tons and tons of sensitive data is being processed by the LLM APIs. Ensuring the security of these APIs will be very crucial to protect user privacy and prevent data leaks.
Akto’s Open Source LLM Security Testing solution addresses these challenges head-on.
By leveraging advanced testing methodologies and state-of-the-art algorithms, Akto provides comprehensive security assessments for GenAI models, including LLMs. The solution incorporates a wide range of innovative features, including over 60 meticulously designed test cases that cover various aspects of GenAI vulnerabilities such as prompt injection, overreliance on specific data sources, and more.
Our tool Akto focuses on solving the above problems by providing:
1. Provide automated LLM Security tests:
1. **OWASP LLM Top 10 coverage** — Akto can automatically test LLM (exposed via APIs) for critical vulnerabilities like Prompt Injection, Sensitive Information Disclosure, etc.
2. **Fully customizable test suite** — This feature enables users to modify existing tests or create their own.
3. **Combine with business logic** — The tests can be invoked as part of the application workflow (e.g., post-login, after support ticket creation, etc.)
2. Automate in your DevSecOps pipeline:
1. **Run tests through CLI** — Developers and security engineers can execute these tests through a single-line CLI.
2. **Integrate with CI/CD** — You can also add Akto to your CI/CD pipeline to automate the entire testing process.
3. **Use LLMs to test LLMs** — You can also use suggestions and prompts from other LLMs to test your LLM
This tool will be very interesting for:
- **Application Security teams** — it’s a one stop shop of LLM Security testing. Tests like prompt injection, overreliance will be especially interesting for them.
- **Blue teamers/infra security** — Getting an automated LLM API inventory and getting alerts for any new sensitive APIs. They can also get a view of all sensitive PII data being shared across all their services and across all their LLM APIs.
LDAP Firewall
Date: Thursday, August 8 | 12:40pm-1:50pm ( Business Hall — Arsenal Station 6 )
Tracks: Network Defense, Reverse Engineering
Session Type: Arsenal
The Lightweight Directory Access Protocol (LDAP) is used in Windows domain environments to interact with the Active Directory schema, allowing users to query information and modify objects (such as users, computers, and groups). For a Windows environment to properly function, LDAP must be left open on the Domain Controllers and be accessible to all users of the domain. As only limited logs are available for LDAP, and it is impossible to natively harden the LDAP configuration, the environment is at a constant risk.
LDAP Firewall is an open-source tool for Windows servers that lets you audit and restrict incoming LDAP requests. Its primary use cases are to protect Domain Controllers, block LDAP-based attacks (such as BloodHound and sAMAccountName spoofing), and tightly control access to the Active Directory schema.
We will present the LDAP Firewall, demonstrating how it defends against previously un-detectable attacks by hardening and monitoring the DC servers. We will also discuss the reverse-engineering process of the Windows LDAP library, how the protocol works, and the technical details of the LDAP Firewall.
PIZZAbite & BRUSCHETTA-board: THE Hardware Hacking Toolkit!
Date: Thursday, August 8 | 1:55pm-3:10pm ( Business Hall — Arsenal Station 8 )
Track: Hardware/Embedded
Session Type: Arsenal
In the last decade we have witnessed the emerging of a new era of connected devices. With this new trend, we also faced a security knowledge gap that in the recent years emerged respect to the (I)IoT landscape. The lack of a properly-defined workflow to approach a security audit of (I)IoT devices and the lack of technical expertise among security personnel in relation to embedded hardware security worsen this gap even further. To bring some clarity and order to this complicated and variegated matter It has been developed PIZZAbite & BRUSCHETTA-board: an all-in-one hardware hacking toolkit that can be considered the swiss-army-knife of any hardware hacker.
BRUSCHETTA-board is the latest device of the so-called WHID’s CyberBakery family. It all started in 2019 from a personal need. The idea was to have a board that could gather in one single solution mutliple tools used by hardware hackers to interact with IoT and Embedded targets. It is the natural evolution of the other boards already presented in the past at BlackHat Arsenal: Focaccia-Board, Burtleina-Board and NANDo-Board. It has been designed for any hardware hacker out there that is looking for a fairly-priced all-in-one debugger & programmer that supports: UART, JTAG, I2C & SPI protocols and allows to interact with different targets’ voltages (i.e., 1.8, 2.5, 3.3 and 5 Volts!).
PIZZAbite is a cheaper and open-hardware version of a commercial PCB holder, perfect for probing & holding your PCB while soldering or inspection. The PIZZAbite PCB probes are mounted on flexible metal arm and a powerful magnet in the base for easy positioning. The one of the kind “lift and drop” function takes away the need for annoying and complicated set screws. Thanks to the extreme flexibility of the arms connected to the PIZZAbite PCBs, the compressible needle (a.k.a. PogoPin) maintain constant pressure at the probing point so even if the board is bumped into the probe tip will always stay in position.
In this presentation, we will review with practical examples how PIZZAbite & BRUSCHETTA-board work against real IoT devices.
AI Wargame
Date: Thursday, August 8 | 2:30pm-4:00pm ( Business Hall — Arsenal Lab )
Tracks: Arsenal Lab, Code Assessment
Session Type: Arsenal
Come join a fun and educational attack and defence AI wargame. You will be given an AI chatbot. Your chatbot has a secret that should always remain a secret! Your objective is to secure your chatbot to protect its secret while attacking other players’ chatbots and discovering theirs. The winner is the player whose chatbot survives the longest (king of the hill). All skill levels are welcomed, even if this is your first time seeing code, securing a chatbot, or playing in a wargame.
MEET & GREET WITH SPEAKERS
August 7–8 | Business Hall
This year, attendees will be able to connect with select industry experts through new Meet & Greet sessions scheduled during both days of the conference. Participate in a Meet & Greet to ask a speaker from your favorite session a question, introduce yourself to a Review Board member, or take a photo with a new connection.
WEDNESDAY | 11:00AM
Meet & Greet with Caitlin Sarian (Cybersecurity Girl)
- Speaker: Caitlin Sarian
- Track: Meet & Greet
- Location: Meetup Lounge
WEDNESDAY | 2:00PM
- Speaker: Richard Harang
- Track: Meet & Greet
- Location: Meetup Lounge
WEDNESDAY | 3:00PM
Meet & Greet with Natalie Silvanovich
- Speaker: Natalie Silvanovich
- Track: Meet & Greet
- Location: Meetup Lounge
WEDNESDAY | 4:00PM
Meet & Greet with Chris Wysopal
- Speaker: Chris Wysopal
- Track: Meet & Greet
- Location: Meetup Lounge
Meet & Greet with Michael Bargury
- Speaker: Michael Bargury
- Track: Meet & Greet
- Location: Meetup Lounge
WEDNESDAY | 5:00PM
Meet & Greet with Sanne Maasakkers
- Speaker: Sanne Maasakkers
- Track: Meet & Greet
- Location: Meetup Lounge
THURSDAY | 11:00AM
Meet & Greet with Mark Parsons and Morgan Demboski
- Speaker: Mark Parsons, Speaker: Morgan Demboski
- Track: Meet & Greet
- Location: Meetup Lounge
THURSDAY | 1:00PM
Meet & Greet with Daniel Gruss and Stefan Gast
- Speaker: Daniel Gruss, Speaker: Stefan Gast
- Track: Meet & Greet
- Location: Meetup Lounge
THURSDAY | 2:00PM
Meet & Greet with Alon Dankner
- Speaker: Alon Dankner
- Track: Meet & Greet
- Location: Meetup Lounge
Meet & Greet with Jason Healey
- Speaker: Jason Healey
- Track: Meet & Greet
- Location: Meetup Lounge
THURSDAY | 3:00PM
Meet & Greet with Keynote Speaker Jen Easterly
- Speaker: Jen Easterly
- Track: Meet & Greet
- Location: Meetup Lounge
MEETUP LOUNGE
Pre-Arranged Meetings
To schedule pre-arranged meetings with other attendees, here are a few tips:
Step 1: Complete Your Profile
When you log into your Black Hat Events app (Swapcard) account (which will be available for attendees starting July 25), complete your profile by selecting your needs and preferences. You can do this by clicking on the “My Profile” tab in the event app platform.
Step 2: Request One-on-One Meetings
Attendees can request meetings with any attendee registered for the event through the Black Hat Events app (Swapcard). You will be able to search attendees by job title, professional interest, and other filters (including if they are available for meetings). You’re welcome to send them a meeting request with a proposed date, time, and location. Meetings will take place in the Meetup Lounge which is in Hall C of the Business Hall. At the time of your meeting simply show your confirmed meeting request at the check-in counter to be assigned a table.
The Black Hat Events app (Swapcard) is a fantastic way to make new connections — -and affords attendees control over their meeting schedules. If you want to exchange contact details, send the person a connection request and upon approval, you can both see each other’s contact details. If you accept a meeting request, contact details are also exchanged.
If you cannot fulfill a meeting request, you’re free to reschedule or if time does not permit, decline it.
SPONSORED SESSIONS & WORKSHOPS HIGHLIGHTS (PST)
“Guess Who?” The Cloud Detection and Response Board Game
Alexander Lawrence | Field CISO, Sysdig
Date: Wednesday, August 7 | 10:20am-10:40am ( Business Hall Theater F )
Format: 20-Minute Sponsored Session
Track: Cloud Security
In today’s cloud security landscape, Cloud Detection and Response (CDR) plays a pivotal role in safeguarding enterprise environments against sophisticated cyber threats. Interestingly, the classic game “Guess Who?” offers a surprisingly apt metaphor for understanding the principles and processes underpinning CDR. “Guess Who?” involves players deducing their opponent’s chosen character through a series of yes-or-no questions, systematically narrowing down possibilities based on observable characteristics. Similarly, CDR involves identifying and responding to security threats by continuously monitoring cloud environments, analyzing data in real time, and employing investigative techniques to filter out benign activities from potential security incidents. Both rely on a process of elimination, pattern recognition, and strategic questioning to reach a conclusive identification.
In this session, we’ll walk through what a game of “Guess Who?” would look like in the cloud. We’ll highlight how real-time detection, strategic investigation, and data-driven decision-making are critical for security operation teams to assess and respond to cloud threats at cloud speed.
How I Learned to Kick My Microsoft Addiction and Protect My Company from Redmond’s Mistakes
Alex Stamos | Chief Trust Officer, SentinelOne
Date: Wednesday, August 7 | 10:20am-11:10am ( Business Hall Theater B )
Format: 50-Minute Sponsored Session
Tracks: Cloud Security, Endpoint Security
Over the last year, the world has become aware of multiple intrusions into Microsoft’s cloud products by the Chinese and Russian governments, and companies have struggled to calibrate their own risk with the limited or incorrect information that Microsoft has be willing to share. In this talk, we will explore what we know about the latest major intrusions into Microsoft’s cloud products and why it is time for security-conscious companies to begin to uncouple their security model from Microsoft’s. We will dive into the technical details of how SentinelOne is changing how we handle authentication, Windows system management, cloud trust and authorization to limit the blast radius from Microsoft’s products, and how you too can learn to love security heterogeneity.
Post Quantum Cryptography Unveiled: Protecting Your Digital Future with IBM Quantum Safe
Jai Arun | Head of IBM Quantum Safe Product Management and Strategy, IBM
Terrence Head | Global Business Development Executive, IBM
James McGugan | Chief Architect & Development Lead, IBM
Michael Epley | Chief Architect and Security Strategist, Red Hat
Date: Wednesday, August 7 | 10:20am-12:20pm ( Oceanside — E )
Format: Half-Day Sponsored Workshop
Tracks: Risk, Compliance and Security Management, Data & Collaboration Security
Join us for an enlightening half-day workshop tailored for security professionals and developers at the Black Hat Conference. IBM Quantum Safe experts will guide you through the disruptive potential of cryptographically relevant quantum computers and the urgent need for quantum-safe measures. This session will equip you with the knowledge to safeguard your organization against future quantum threats.
Agenda:
1) Explore the impact of quantum computers on current cryptographic systems.
2) Engage in an interactive discussion on the journey towards implementing quantum-safe practices.
3) Solution Demo IBM Quantum Safe Explorer and Remediator with first look at new features coming soon
Who Has the Keys to Your Data?
Richard Gldberg | Board Advisor, Quantum Knight.io
Date: Wednesday, August 7 | 10:55am-11:15am ( Start-Up Theater )
Format: 20-Minute Start-Up City Sponsored Session
Tracks: Data & Collaboration Security, Cloud Security
Who has the keys to your data?
Whether at rest or in transit the encryption of your data should be in your hands.
There needs to be a paradigm shift in who controls the keys to the encryption of your data
Sometimes we have a practice that we’re doing that just needs to be questioned. We’ve been doing it for so long that it is just the way its done.
Maybe after you question the way you’re doing something you decide that hey that’s OK. I’m fine with the way. I’m doing it now but other times when you question the way you’re doing something, you stand back and you say I do need to change my behavior in this area, let me give you a little example.
I relate almost everything back to food. A recipe was being handed down from mother to daughter and the daughter was preparing the recipe, it said cut the ends of the ham off, she called her mom and asked, “why do we cut the ends of the ham off?” She said, that’s the way your grandma did it ‘“ She called her grandma and asked, “why did you cut the end of the ham off? She goes, “well I had a really small pan so I had to cut the end of the ham off.”
So let me ask this question again, who has the keys to your data. When your data is encrypted, who has the keys? Are you handing the keys to someone else to take care of them? Who are you trusting to lock your data down? Why? Because we always do the recipe that way? Shouldn’t you have the keys to your data?
Defeating Modern Adversaries: Insights from the 2024 CrowdStrike Threat Hunting Report
Adam Meyers | SVP, Counter Adversary Operations, CrowdStrike
Date: Wednesday, August 7 | 11:25am-12:15pm ( Mandalay Bay — I )
Format: 50-Minute Sponsored Session
Track: Security Operations & Incident Response
Adversaries are increasingly bypassing legacy detection methods, resulting in a 55% rise in interactive intrusions. They’re mastering cross-domain attacks — targeting endpoints, identities, and cloud environments — while groups like SCATTERED SPIDER refine their techniques to exploit the cloud.
To effectively stop and disrupt the modern adversary, you need in-depth knowledge of their tactics. Join Adam Meyers, SVP of Intelligence at CrowdStrike, as he delves into the latest adversary trends in the 2024 Threat Hunting Report. In this session, you’ll learn why there was an 86% spike in hands-on-keyboard activity by eCrime adversaries, and the importance of cross-domain threat hunting to stay ahead of modern threats.
Get inside the mind of the adversary with CrowdStrike.
Scary Long-Game Social Engineering Attacks That Most of Us Would Fall For
Roger Grimes | Data Driven Defense Evangelist, KnowBe4
Date: Wednesday, August 7 | 11:30am-12:20pm ( Mandalay Bay J )
Format: 50-Minute Sponsored Session
Tracks: Endpoint Security, Infrastructure Protection
Sophisticated cybercriminals are playing the long game. Unlike the typical hit-and-run cyber attacks, they build trust before laying their traps. They create a story so believable and intertwined with trust that even the most careful individuals can get caught in a trap set over time. Join us for this presentation where Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4, walks you through the ins and outs of long-game social engineering advanced techniques.
AI vs. AI: Using Precision AI Technology to Counter AI-Enabled Threat Actors
Scott Fanning | VP of Product Management, Palo Alto Networks
Date: Wednesday, August 7 | 12:05pm-1:30pm ( Lagoon CD, Level 2 )
Format: 60-Minute Lunch & Learn
Tracks: Endpoint Security, Cloud Security
The recent emergence of Artificial Intelligence has drastically changed the way we work and live, increasing our efficiency and productivity, helping us make better decisions, and much more. However, as expected, AI has already fallen into the hands of today’s threat actors, heightening the sophistication of their attacks and making them faster, more widespread, and ultimately harder to detect. Join Scott Fanning, Vice President of Product at Palo Alto Networks, as he explains how AI must be used in Network Security to fight off AI-enabled attackers and stop zero-day threats.
Attack & Defend — Deconstructing a Cyber Crime
Brandon Traffanstedt | Sr. Director, Field Technology Office, CyberArk
Date: Wednesday, August 7 | 1:30pm-2:20pm ( Business Hall Theater C )
Format: 50-Minute Sponsored Session
Tracks: Endpoint Security, Identity and Access Manage (IAM)
Our 2024 Attack and Defend series focuses on deconstructing cybercrime. The rapid growth of digital identities has increased vulnerability to ransomware and supply chain attacks. Cybercriminals continually evolve their tactics, but effective defense remains possible through privileged access protection for all identities.
The session offers a reality-based experience, drawing on CyberArk Labs research and incident response insights.
We simulate a battle where: Brandon Traffanstedt demonstrates step-by-step attacks, revealing common tools, tactics, and procedures, all while showcasing security best practices for managing and securing those identities
The SEXi Threat: How to Protect ESXi from Ransomware
Jason Mar-Tang | Field CISO, Pentera
Yuval Lazar | Security Researcher, Pentera
Date: Wednesday, August 7 | 2:40pm-3:00pm ( Mandalay Bay K )
Format: 20-Minute Sponsored Session
Track: Risk, Compliance and Security Management
Ransomware attacks on VMware ESXi servers are on the rise, creating unprecedented security challenges for IT personnel. This presentation will provide you with essential strategies to safeguard your infrastructure against these sophisticated threats.
Discover how ransomware like SEXi exploits ESXi environments, by delving into the mechanics, methods, and severe impacts of ESXi ransomware, including operational disruptions and data breaches. This session is vital for IT security professionals and network administrators dedicated to strengthening their defenses.
The Mesh is The New Web, with Universal Private Computing Built In
Manu Fontaine | Founder and CEO, Hushmesh Inc.
Date: Wednesday, August 7 | 1:50pm-2:10pm ( Start-Up Theater )
Format: 20-Minute Start-Up City Sponsored Session
Tracks: Data & Collaboration Security, Identity and Access Manage (IAM)
The Mesh is the new Web, with Universal Private Computing built in. Secured by the Universal Name System (UNS) and Universal Certificate Authority (UCA), the Mesh delivers what the Web never could: the global assurance of provenance, integrity, authenticity, reputation, confidentiality, and privacy of all bits within it, be they code or data, at internet scale. This groundbreaking infrastructure enables the deployment of certified code, accessing private data, across a global network of confidential computing machines. Let’s build the future of computing together!
Who Knew? Domain Hijacking is So Easy
Dave Mitchell | Principal Threat Researcher, Infoblox
Date: Wednesday, August 7 | 2:05pm-2:25pm ( Business Hall Theater F )
Format: 20-Minute Sponsored Session
Tracks: Cloud Security, Infrastructure Protection
Learn about the insidious DNS Sitting Ducks attack vector that threat actors are using to hijack domains from major brands, government institutions, and other organizations, large and small. This vector is simple to exploit, hard to detect, and entirely preventable. Russian cybercriminal actors are heavily leveraging Sitting Ducks to support a wide range of malicious activities, and over a million domains are vulnerable every day. Who knew?
A Bot-Infested World: How to Win the Battle Against an Invisible Threat
Larry Wiggins | Vice President, Security Operations and Technology, Cloudflare
Blake Darché | Head of Cloudforce One, Cloudflare
Date: Wednesday, August 7 | 2:35pm-3:25pm ( Business Hall Theater C )
Format: 50-Minute Sponsored Session
Tracks: Infrastructure Protection, Security Operations & Incident Response
Bad bots, if left unchecked and unmonitored, have the power to massively disrupt businesses, cause financial losses, and even collapse critical infrastructure. Considering one-third (31.2%) of all Internet traffic stems from bots, with the majority (93%) being unverified and potentially malicious — the security world is in a dire situation. Bad bots are a menace upon the web, upon organizations, and upon our community. So, how do we win this war?
This session will dive into the anatomy of current real-world use cases, including an attack that resulted in one of the largest data breaches in recent years, and a separate campaign carried out on an unsuspecting victim. Experts will detail the anatomy of bots, the different types of attack trends they carry out, and the tangible ways to implement vigilant and proactive defense strategies within your security infrastructure to combat bot threats.
Cross-Platform Evasion: Offensive Tooling for Windows, macOS, and Linux
Kyle Avery | Principal Offensive Specialist Lead, Fortra
Date: Wednesday, August 7 | 1:30pm-1:50pm ( Business Hall Theater F )
Format: 20-Minute Sponsored Session
Track: Security Operations & Incident Response
macOS and Linux systems play a significant role in modern enterprise environments, including developer workstations, critical business applications, and container workloads. The need for effective tools becomes crucial as the demand for red teams to assess these systems grows. Outflank Security Tooling (OST) offers cross-platform capabilities, enabling dynamic engagements with evasive adversarial techniques that challenge and prepare blue teams for today’s skilled attackers. This presentation will showcase the latest additions to OST for macOS and Linux, highlighting how these tools can empower operators to reach their objectives. Join us as we demonstrate the toolkit in a modern network featuring a variety of systems and technologies.
OWASP Top 10 for LLMs — Myths & Realities
Rehan Jalil | CEO, Securiti
Jim Reavis | CEO, Cloud Security Alliance
Date: Wednesday, August 7 | 3:40pm-4:30pm ( Mandalay Bay J )
Format: 50-Minute Sponsored Session
Tracks: Data & Collaboration Security, Risk, Compliance and Security Management
Are your AI security defenses strong enough to withstand today’s generative AI vulnerabilities? OWASP Top 10 vulnerabilities specific to LLMs provide a robust reference framework for mitigating AI and data risks. While traditional security techniques fall short in protecting modern AI applications, even deploying an LLM Firewall to protect the model at the edge is not enough.
The non-deterministic nature of the LLMs and their complex interactions with data sources and other AI systems in a modern app presents significant security, privacy, and compliance challenges. Join us for an engaging talk where we will debunk common myths and reveal the realities around OWASP Top 10 for LLMs.
Further, we will explore a holistic 5 step AI security approach needed to prevent and mitigate risk due to these OWASP LLM application vulnerabilities.
Understand AI and Data Security Challenges: Explore shadow AI, OWASP Top 10 vulnerabilities for LLMs, data mapping, and sensitive data exposure risks.
Implement Multi-Layered LLM Firewalls: Protect your prompts, data retrieval, and responses using a multi-layered approach.
Enforce Data Entitlements: Prevent unauthorized data access in GenAI applications.
Enforce Inline Data Controls: Safeguard sensitive data during model training, tuning, and RAG (Retrieval Augmented Generation).
Automate Compliance: Streamline adherence to emerging data and AI regulations.
Defeating Modern Adversaries: Insights from the 2024 CrowdStrike Threat Hunting Report
Adam Meyers | SVP, Counter Adversary Operations, CrowdStrike
Date: Wednesday, August 7 | 3:40pm-4:30pm ( Business Hall Theater B )
Format: 50-Minute Sponsored Session
Track: Security Operations & Incident Response
Adversaries are increasingly bypassing legacy detection methods, resulting in a 55% rise in interactive intrusions. They’re mastering cross-domain attacks — targeting endpoints, identities, and cloud environments — while groups like SCATTERED SPIDER refine their techniques to exploit the cloud.
To effectively stop and disrupt the modern adversary, you need in-depth knowledge of their tactics. Join Adam Meyers, SVP of Intelligence at CrowdStrike, as he delves into the latest adversary trends in the 2024 Threat Hunting Report. In this session, you’ll learn why there was an 86% spike in hands-on-keyboard activity by eCrime adversaries, and the importance of cross-domain threat hunting to stay ahead of modern threats.
Get inside the mind of the adversary with CrowdStrike.
Go Hack Yourself: More War Stories from ~60k Pentests
Snehal Antani | CEO and Co-Founder, Horizon3.ai
Date: Wednesday, August 7 | 3:50pm-4:10pm ( Mandalay Bay L )
Format: 20-Minute Sponsored Session
Tracks: Infrastructure Protection, Cloud Security
Join Snehal Antani, CEO of Horizon3.ai, for an eye-opening session where he’ll discuss real-world examples of what NodeZero discovered in networks just like yours. You’ll hear about how fast and easy it is to compromise some of the largest networks in the world — with full domain takeover — often in minutes, and sometimes, without even exploiting a CVE. Discover how autonomous pentesting helps find unknown weaknesses in your infrastructure before attacker do.
During this session, you’ll learn how organizations just like yours are using autonomous pentesting to:
- Secure their supply chains to ensure they’re not accepting someone else’s risk.
- Discover weaknesses in cloud implementations that could result in compromise.
- Set up an early detection system for actual threats in the most high-risk areas.
I (Don’t) Know What You Did Last Summer: Using Application Isolation to Defend Against Snooping Browser Malware
Patrick Schläpfer | Principal Threat Researcher, HP Inc
Alex Holland | Principal Threat Researcher, HP Inc
Date: Wednesday, August 7 | 4:25pm-4:45pm ( Business Hall Theater D )
Format: 20-Minute Sponsored Session
Track: Endpoint Security
“Assume breach” is a common mantra among infosec professionals, but what does this look like in practice on endpoints? In this talk, we walk through how to achieve data compartmentalization, practically, and why this is so important for preventing data breaches across scenarios from everyday personal computing to enterprise privileged access use cases. We use ChromeLoader — a family of stealthy browser extension malware — as a case study to show the impacts of failing to compartmentalize data. A top threat for web surfers, ChromeLoader is remarkably effective at infecting endpoints without being detected, with campaigns in recent months achieving a 0% detection rate. Posing as PDF conversion tools, free movies and video games, once installed its operators can snoop information from the victim’s browsing session, their search queries, as well as redirect victims to malicious websites and inject content into pages. We will walk through how the TTPs of this malware have evolved from 2022 up to recently observed campaigns in June 2024, explaining the techniques it uses to bypass Windows security features. We will then discuss the technical state of the art that is available to organizations to protect themselves from such threats. In particular, we will explore how to protect critical business applications using application isolation solutions that combine software and hardware controls, even when an endpoint is infected with malware.
Top 5 Reasons Companies Keep Using Dead OSS
Aaron Frost | CEO, HeroDevs
Date: Wednesday, August 7 | 4:25pm-4:45pm ( Business Hall Theater F )
Format: 20-Minute Sponsored Session
Tracks: Risk, Compliance and Security Management, Application Security
It’s shocking to learn all the reasons why the world’s largest companies and governments are legally required to keep using open source software that is dead / end-of-lifed / no longer supported. Let us share with you the top 5 reasons why this happens. And it may not surprise you to learn that it’s not likely to stop any time soon.
The Deep, Dark, Digital Truth: Inside the Dark Web Market for Deepfakes and the Battle for Digital Truth
Mannie Willkan | Associate Manager, Accenture
Louis DiValentin | Technology Research Sr. Principal, Accenture
Abhishek Simkhada | Security Engineering Manager, Accenture
Date: Thursday, August 8 | 10:20am-11:10am ( Mandalay Bay J )
Format: 50-Minute Sponsored Session
Track: Security Operations & Incident Response
Perception is reality. When Generative AI achieved General Availability, it turbocharged the market for synthetic media. Today, it is cheap and easy to create a deepfake of almost anyone whose likeness is online. It is expensive and technically difficult for most organizations to prevent and detect them. C2PA, watermarking, and other efforts so far have a lot of merit but by themselves aren’t enough. Most difficult is to teach people to identify genuine vs synthetic content, to tune organizational processes vulnerable to human error, and to repair reputational damage after it’s been done.
In this talk, we dive into the tech specs behind the exponential evolution of deepfake capability over the past year. We explain what is driving the velocity of deepfake technology — including how they are more believable and easier to create, in less time with fewer resources. We then take you on a tour of the dark web for the latest multi-modal deepfake technology on offer. Then, we demonstrate what that technology can do and show you how we did it.
We conclude by discussing what must be done about deepfakes in the long run. We discuss what principles provide assurance of digital truth, despite the untold adaptations and malicious application of synthetic media. We consider what Zero Trust means in the future of deepfakes, how to create reliable context, and what the right protective and detective technology must be capable of at the pace of operations.
Spear-Phishing to PowerShell: AI-Powered Cybersecurity Techniques
Kevin O’Connor | Director of Threat Research, Adlumin
Jeet Dutta | Director of Data Science, Adlumin
Date: Thursday, August 8 | 11:25am-12:15pm ( Business Hall Theater A )
Format: 50-Minute Sponsored Session
Tracks: Cloud Security, Endpoint Security
Join us as Adlumin, a Managed Detection and Response (MDR) provider, dives into the practical applications of Machine Learning in both targeted attacks and defensive operations. Members of our Data Science and Threat Research team will discuss the evolution of traditional AI methods into generative AI and their use by both attackers and defenders. We will demonstrate how attackers use Large Language Models (LLMs) to execute targeted spear-phishing attacks that bypass Multi-Factor Authentication (MFA) using open-source tools and the EvilGinx platform. Additionally, Adlumin will present ensemble ML models that combine traditional and generative AI methods to identify malicious PowerShell activities.
Rubik’s Cube Tactics: How Rotating Resource Strategies Solved Real-World Cyberattacks
MacKenzie Brown | VP of the Adversary Pursuit Group, Blackpoint Cyber
Date: Thursday, August 8 | 1:00pm-2:30pm ( Lagoon KL, Level 2 )
Format: 60-Minute Lunch & Learn
Tracks: Security Operations & Incident Response, Managed Security Services
Like solving a Rubik’s cube, effective infosec strategies require proactive consideration of — and solving for — both technology and team together. From active response capabilities to intelligence-driven risk mitigation, each facet of your organization’s security “puzzle” twists into the next.
Solving your security puzzle through better team and technology alignment creates a complete infosec program that’s greater than the sum of its parts.
When your security puzzle is left half-solved, threats can — and will — slip between the cracks in your defenses.
Join the Adversary Pursuit Group (APG), as we present original research and analysis of three recent cyberattacks within Blackpoint Active SOC-protected environments to prove how technology and people must work together to solve complex real-world infosec problems, including:
Novel cloud-based attacks against a Critical Infrastructure partner featuring possible insider threats and business email compromise (BEC);
Supply-chain and third-party-based attacks against multiple MSPs, occurring after a “theoretical” proof of concept publication; and
A ransomware attack deployed under four minutes against a Healthcare partner.
The Ecosystem of SIM Swap
Nelson Rivera | Sr. Manager, Cybersecurity, T-Mobile
Date: Thursday, August 8 | 1:30pm-1:50pm ( Mandalay Bay K )
Format: 20-Minute Sponsored Session
Tracks: Endpoint Security, Security Operations & Incident Response
We’ll delve into the intricate ecosystem of SIM swap fraud, exploring the evolving tactics used by cybercriminals, the vulnerabilities in mobile networks, and the impacts on individuals and organizations. Our expert speaker will provide valuable insights and strategies to safeguard against this growing threat in today’s digital landscape.
Our Defensive Security Blindspot
Wesley Hales | CEO, LeakSignal
Date: Thursday, August 8 | 3:00pm-3:20pm ( Start-Up Theater )
Format: 20-Minute Start-Up City Sponsored Session
Tracks: Cloud Security, Data & Collaboration Security
The evolution of Kubernetes and microservices has ushered in the era of modern architecture, characterized by ephemeral, multi-cloud environments housing hundreds to thousands of services. Despite a decade of technological advancement, existing cybersecurity defenses have struggled to keep pace. Commoditized solutions such as WAF, API and bot defenses necessitate routing application-bound network traffic through a CDN (for analysis) and back to the origin — lacking any visibility into East-West workload traffic. Furthermore, container runtime solutions are capable of monitoring system process usage to try and detect bad activity, but they fall short of understanding the broader view of services, workloads and data in-transit.
If we can elegantly monitor sensitive data metrics and other network signals at scale, on the wire, in transit, then the odds of detecting accidents, abuse and data exfiltration go way up. This session will teach attendees how to use data classification to detect bad things that are happening in live East/West and North/South traffic — e.g. understand accidental data emission, mitigate threat actors, identify zero days and much more through the analysis of Layer 4–7 data within network traffic. Attendees will leverage cloud native tooling such as prometheus and grafana to monitor sensitive data emitted from APIs, gRPC, logs, and other protocols within a live service mesh.
By the end of the session, attendees will be equipped with new skills, techniques and open source tooling to gain complete understanding of how to protect modern architectures and the systems contained within them through structured and unstructured data classification.
DCG 201 TALK HIGHLIGHTS FOR BLACK HAT USA 2024 (PST)
This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)
WEDNESDAY, AUGUST 7th
Keynote: Democracy’s Biggest Year: The Fight for Secure Elections Around the World
Jen Easterly | Director, Cybersecurity and Infrastructure Security Agency (CISA)
Hans de Vries | COO, European Union Agency for Cybersecurity (ENISA)
Felicity Oswald OBE | CEO, National Cyber Security Centre (NCSC)
Christina A. Cassidy | Reporter, The Associated Press
Date: Wednesday, August 7 | 9:00am-10:00am ( Michelob ULTRA Arena )
Format: 60-Minute Keynote
Track: Keynote
2024 is the year for global democracy. The year when a record-breaking number of countries held national elections; when more than two billion voters cast ballots to shape the future of their nation and the world. In the foreground of this monumental moment, emerging technologies and heightened global tensions confront the resilience of even the world’s longest standing democracies. This session will unpack how key international leaders are approaching election security risks to the democratic processes — such as cyber threats, foreign malign influence, and the role of generative AI — and ensure that 2024 is no anomaly, but an inflection point. Join CISA Director Jen Easterly, NCSC CEO Felicity Oswald, and ENISA COO Hans de Vries as they discuss the challenges of protecting democracy.
Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Nicole Fishbein | Security Researcher, Intezer
Juan Andrés Guerrero-Saade | AVP of Research (SentinelLabs), SentinelOne
Date: Wednesday, August 7 | 10:20am-11:00am ( Oceanside C, Level 2 )
Format: 40-Minute Briefings
Tracks: Reverse Engineering, Malware
In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can’t blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.
The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were forced by high-profile incidents like the Solarwinds supply-chain attack. To remedy the situation, we crafted an analysis methodology with accompanying atomic scripts, dubbed AlphaGolang. The result was the surprising realization that once underlying data is put back in its rightful context, reversing Go is often easier than traditional languages.
We’ve observed a similar trend with Rust malware. Rust’s features, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. APTs and ransomware groups alike have embraced Rust and yet we avert our gaze.
Let’s tackle this problem head-on. Drawing on insights derived from the development of AlphaGolang, we introduce ‘Project 0xA11C’ (‘Oxalic’)– a practical methodology and accompanying tools to make Rust reverse-engineering approachable. We’ll showcase the benefits by reanalyzing in-the-wild examples of APT malware like RustDown, RustBucket, and Spica — No ‘Hello World!’s found here! With added clarity, we’ll finally glimpse at the true size of the Rust malware ecosystem and see what lies ahead.
Tunnel Vision: Exploring VPN Post-Exploitation Techniques
Ori David | Senior Security Researcher, Akamai
Date: Wednesday, August 7 | 10:20am-11:00am ( Islander FG, Level 0 )
Format: 40-Minute Briefings
Tracks: Network Security, Enterprise Security
We have all heard this story before — a critical vulnerability is discovered in a VPN server. It’s exploited in the wild. Administrators rush to patch. Panic spreads across Twitter.
Attackers have long sought to exploit VPN servers — they are accessible from the internet, expose a rich attack surface, and often lack in security and monitoring. Historically, VPNs were primarily abused to achieve a single objective: gaining entry into internal victim networks. While this is evidently very valuable, control over a VPN server shouldn’t solely be seen as a gateway to the network, and can certainly be abused in various other ways.
In this talk, we will explore VPN post-exploitation — a new approach that consists of different techniques attackers can employ on the compromised VPN server to further progress their intrusion. To demonstrate this concept, we will inspect two of the most common VPN servers on the market — Ivanti Connect Secure and Fortigate, and show how an attacker with control over them can collect user credentials, move laterally, and maintain persistent access to the network.
We will conclude by detailing best practices and principles that should be followed by security teams when using VPN servers to reduce the risk from post-exploitation techniques.
15 Ways to Break Your Copilot
Michael Bargury | CTO, Zenity
Avishai Efrati | Senior Security Researcher, Zenity
Date: Wednesday, August 7 | 11:20am-12:00pm ( Mandalay Bay H, Level 2 )
Format: 40-Minute Briefings
Tracks: Application Security: Defense, Enterprise Security
Microsoft Copilot Studio is the technology that powers Microsoft’s copilots, and the platform behind custom copilots built in the enterprise. The promise is that everyone can build a secure copilot, under the assumption that every bot will be secure by-default. Does it hold under scrutiny?
In this talk, we will show how Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to a material impact on integrity and confidentiality.
Next, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft’s platform, and generalized insights on how to build secure and reliable Copilots.
Hardening HSMs for Banking-Grade Crypto Wallets
Jean-Philippe Aumasson | CSO, Taurus
Chervine Majeri | Engineer, Taurus
Date: Wednesday, August 7 | 11:20am-12:00pm ( Islander FG, Level 0 )
Format: 40-Minute Briefings
Tracks: Cryptography, Hardware / Embedded
We’ve been using hardware security modules (HSMs) as part of a custody solution used by banks for the safekeeping of cryptocurrency and other tokenized assets, often managing billions of dollars in value.
However, solely relying on built-in security mechanisms of an HSM, even when FIPS 140–3 certified, isn’t enough for this use case. In this talk, we’ll first describe an HSM’s feature set, architecture, security guarantees, and inherent limitations. Then we’ll present tricks and techniques we developed to considerably enhance the security of a crypto wallet. These include measures for attack surface reduction, secure configuration enforcement, request filtering, custom policies, as well as replay protection and state management with minimal statefulness.
15 Ways to Break Your Copilot
Michael Bargury | CTO, Zenity
Avishai Efrati | Senior Security Researcher, Zenity
Date: Wednesday, August 7 | 11:20am-12:00pm ( Mandalay Bay H, Level 2 )
Format: 40-Minute Briefings
Tracks: Application Security: Defense, Enterprise Security
Microsoft Copilot Studio is the technology that powers Microsoft’s copilots, and the platform behind custom copilots built in the enterprise. The promise is that everyone can build a secure copilot, under the assumption that every bot will be secure by-default. Does it hold under scrutiny?
In this talk, we will show how Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to a material impact on integrity and confidentiality.
Next, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft’s platform, and generalized insights on how to build secure and reliable Copilots.
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
Gareth Heyes | Researcher, PortSwigger
Date: Wednesday, August 7 | 1:30pm-2:10pm ( Mandalay Bay H, Level 2 )
Format: 40-Minute Briefings
Tracks: Application Security: Offense, Enterprise Security
Websites often parse users’ email addresses to identify their organization. Unfortunately, parsing emails is far from straightforward thanks to a collection of ancient RFCs that everyone knows are crazy. You can probably see where this is going…
In this session, I’ll introduce techniques for crafting RFC-compliant email addresses that bypass virtually all defenses leading to broken assumptions, parser discrepancies and emails being routed to wildly unexpected destinations. I’ll show you how to exploit multiple applications and libraries to spoof email domains, access internal systems protected by ‘Zero Trust’, and bypass employee-only registration barriers.
Then I’ll introduce another class of attack — harmless-looking input transformed into malicious payloads by unwitting libraries, leading to yet more misrouted emails, and blind CSS injection on a well-known target.
I’ll leave you with a full methodology and toolkit to identify and exploit your own targets, plus a CTF to develop your new skillset.
Cracking the 5G Fortress: Peering Into 5G’s Vulnerability Abyss
Kai Tu | Research Assistant, The Pennsylvania State University
Yilu Dong | Research Assistant, The Pennsylvania State University
Abdullah Al Ishtiaq | Research Assistant, The Pennsylvania State University
Syed Md Mukit Rashid | Research Assistant, The Pennsylvania State University
Weixuan Wang | Graduate Researcher, The Pennsylvania State University
Tianwei Wu | Research Assistant, The Pennsylvania State University
Syed Rafiul Hussain | Assistant Professor, The Pennsylvania State University
Date: Wednesday, August 7 | 2:30pm-3:00pm ( Oceanside C, Level 2 )
Format: 30-Minute Briefings
Tracks: Mobile, Exploit Development & Vulnerability Discovery
The advent of 5G technology promises to revolutionize the mobile communication landscape, offering faster speeds and more secure connections. However, this technological leap also introduces many security challenges, particularly within the 5G baseband in mobile phones. Our research introduces 5GBaseChecker, the first ever dynamic security testing framework designed to uncover logical vulnerabilities, e.g., authentication bypass in the protocol implementations of 5G basebands. With the design of new automata learning and differential testing techniques, 5GBaseChecker not only identifies 0-day vulnerabilities but also facilitates the systematic root cause analysis of the security flaws in commercial 5G basebands. Using 5GBaseChecker, we tested 17 commercial 5G basebands and 2 open-source 5G baseband (UE) implementations, uncovering 13 unique 0-day vulnerabilities and a total of 65 vulnerability instances across all tested implementations.
Among our findings, the most critical vulnerability is the “5G AKA Bypass” discovered in one of the widely used 5G basebands. This vulnerability allows attackers to intercept and eavesdrop on victims’ Internet data and inject phishing SMS messages. The implications of this attack are profound; it affects users globally who utilize 5G devices with that particular baseband. This flaw violates the underlying security guarantees of 5G technology, leaving users’ security and privacy completely compromised.
In summary, in this talk we will introduce a new security analysis tool 5GBaseChecker. We will showcase the application of this framework in identifying critical security vulnerabilities, including a detailed explanation and real-world exploitation video demo of the 5G AKA Bypass flaw in the commercial basebands.
Surveilling the Masses with Wi-Fi Positioning Systems
Erik Rye | Researcher, University of Maryland
Date: Wednesday, August 7 | 2:30pm-3:00pm ( South Seas CD, Level 3 )
Format: 30-Minute Briefings
Tracks: Privacy, Network Security
Wi-Fi Positioning Systems are used by modern mobile operating systems to geolocate themselves without the use of GPS. Both Google and Apple, for instance, run Wi-Fi Positioning Systems for Android and iOS devices to obtain their own location using nearby Wi-Fi access points as landmarks.
In this work, we show that Apple’s Wi-Fi Positioning System represents a global threat to the privacy of hundreds of millions of people. When iOS devices need to geolocate themselves using nearby Wi-Fi landmarks, they transmit a list of hardware identifiers to Apple and receive the geolocations of those access points in return. Unfortunately, this process can be replicated by an unprivileged adversary, who can recreate a copy of Apple’s Wi-Fi geolocation database by requesting the locations of access points around the world with no prior knowledge.
To make matters worse, we demonstrate that by repeatedly querying Apple’s Wi-Fi Positioning System for the same identifiers, we can detect Wi-Fi router movement over time. In our data, we see evidence of home relocations, family vacations, and the aftermath of natural disasters like the 2023 Maui wildfires. More disturbingly, we also observe troop and refugee movements into and out of the Ukraine war and the impact of the war in Gaza.
We conclude by detailing our efforts at responsible disclosure, and offer a number of suggestions for limiting Wi-Fi Positioning Systems’ effects on user privacy in the future.
TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets
Qi Wang | P.h.D Student, Tsinghua University
Xiang Li | Associate Professor, Nankai University
Chuhan Wang | Ph.D. Candidate, Tsinghua University
Date: Wednesday, August 7 | 2:30pm-3:00pm ( South Pacific F, Level 0 )
Format: 30-Minute Briefings
Track: Network Security
DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations.
We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning (the fastest DNS cache poisoning than ever previous attacks since the time cost is only less than 1s), denial-of-service, and resource consuming attacks.
By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TuDoor. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TuDoor could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers.
Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.
Please review https://tudoor.net/ for details and the full CVE list.
Attacking Samsung Galaxy A* Boot Chain, and Beyond
Maxime Rossi Bellom | Security Researcher, Quarkslab
Raphael Neveu | Security Researcher, Quarkslab
Damiano Melotti | Security Researcher
Gabrielle Viala | Security Engineer, Quarkslab
Date: Wednesday, August 7 | 3:20pm-4:00pm ( South Seas AB, Level 3 )
Format: 40-Minute Briefings
Tracks: Mobile, Exploit Development & Vulnerability Discovery
During our previous research on Android File-Based encryption, we studied the boot chain of some Samsung devices based on Mediatek system on chips. Our objective was to exploit a known boot ROM vulnerability to bypass the secure boot and ultimately retrieve the required ingredients to brute force the user credentials. Once we became familiar with this boot chain, we decided to take a closer look at a component coming later in the process: the Little Kernel bootloader (LK, also called BL3–3).
We begin our bug-hunting journey in LK from a jpeg parser that was introduced by the vendor. Then we will show how, thanks to reverse engineering and fuzzing, we discovered two vulnerabilities leading to code execution in the context of the bootloader, and how they can be used to bypass the secure boot and take full control over the Android system.
In order to trigger these vulnerabilities, we need a way to flash our jpegs on the flash memory of the device. We will dive into the implementation of Odin, the Samsung recovery protocol and present a vulnerability we discovered, allowing us to write anything on the flash memory without authentication.
Finally, we will focus on the ARM Trusted Firmware (also known as the secure monitor), which runs with the highest privileges on the device. We will present two critical vulnerabilities we discovered and show how they allowed us to break the last security barrier of this device to leak the secrets hidden in the secure world.
Secure Shells in Shambles
HD Moore | Founder & CEO, runZero
Rob King | Director of Security Research, runZero
Date: Wednesday, August 7 | 3:20pm-4:00pm ( South Pacific F, Level 0 )
Format: 40-Minute Briefings
Tracks: Application Security: Offense, Exploit Development & Vulnerability Discovery
The Secure Shell (SSH) protocol has survived as an internet-facing management protocol for almost 30 years. Over the decades it has transformed from a single patented codebase to a multitude of implementations available on nearly every operating system and network-connected device.
This presentation dives deep into the Secure Shell protocol, its popular implementations, what’s changed, what hasn’t, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed “sshamble”, will be demonstrated, which reproduces these attacks and opens the door for further research.
Super Hat Trick: Exploit Chrome and Firefox Four Times
Nan Wang | Security Researcher, Qihoo 360 Vulnerability Researcher Institute
Zhenghang Xiao | Master Candidate, Tsinghua University
Xuehao Guo | Security Research Intern, Qihoo 360 Vulnerability Researcher Institute
Qinrun Dai | PhD Student, University of Colorado Boulder
Date: Wednesday, August 7 | 3:20pm-4:00pm ( South Seas CD, Level 3 )
Format: 40-Minute Briefings
Tracks: Exploit Development & Vulnerability Discovery, Platform Security
With updates to the JS standard and requirements for higher runtime efficiency, Google’s JS engine V8 has implemented newer features such as built-in functions like JSSet.Union and the Turboshaft mid-tier compiler. Firefox’s JS engine SpiderMonkey has also implemented the WebAssembly Garbage Collection specification and the corresponding JIT optimization code.
Our research focuses on the runtime and JIT parts of the V8 engine, and through in-depth exploration of the new JSSet built-in function implementation and Turboshaft, we disclosed two stable and reliable RCE vulnerabilities. Additionally, in our investigation of SpiderMonkey’s wasm gc implementation, we discovered another two RCE vulnerabilities, highlighting our success in vulnerability discovery.
In this talk, we will summarize our methodology and combine it with the four RCE vulnerabilities we discovered. We will introduce the mechanisms of the new attack surface and describe the root causes of the vulnerabilities. From this analysis, we aim to outline four classic vulnerability patterns that exist in JS engines, assisting the open-source community in better identifying these issues.
Finally, we will review the exploitation techniques for these vulnerabilities and provide stable exploitation strategies, aiming to enhance the defense depth of both Google and Mozilla. This talk will conclude with a demonstration of the RCE vulnerabilities.
From Doxing to Doorstep: Exposing Privacy Intrusion Techniques used by Hackers for Extortion
Jacob Larsen | Offensive Security Team Lead, CyberCX
Date: Wednesday, August 7 | 4:20pm-5:00pm ( Jasmine AE, Level 3 )
Format: 40-Minute Briefings
Track: Privacy
Doxing, initially a practice for undermining hackers’ online anonymity by “dropping docs”, has evolved into a tool used for real-world extortion, employing violence-as-a-service tactics like “brickings”, “firebombings” and “shootings”. This escalation reflects a troubling trend where digital conflicts manifest physically and is facilitated by legal gray areas. The ambiguous stance on doxing in U.S. policy complicates accountability, making it a pressing concern for privacy and personal safety.
This talk features first-hand insights from individuals engaged in doxing, through exclusive interviews, which have never been disclosed to the public previously. This includes a wanted threat actor involved in a DEA Data Portal hack, and an administrator of the largest doxing website, Doxbin. This provides a rare glimpse into the secretive world of doxing, and lesser-known privacy intrusion techniques, such as impersonating law enforcement and submitting fraudulent Emergency Data Requests.
The session concludes with actionable advice on safeguarding personal privacy to reduce the risk and impact of doxing. Attendees will leave equipped with knowledge of preventative measures, alongside a call for policy reform to address gaps in U.S. legal frameworks that enable doxing to thrive. This talk not only sheds light on the dark underbelly of cyber extortion, but also fosters a dialogue on essential changes needed to curb the proliferation of doxing.
SnailLoad: Anyone on the Internet Can Learn What You’re Doing
Daniel Gruss | InfoSec Professor, Graz University of Technology
Stefan Gast | InfoSec Researcher, Graz University of Technology
Date: Wednesday, August 7 | 4:20pm-5:00pm ( Oceanside C, Level 2 )
Format: 40-Minute Briefings
Tracks: Network Security, Exploit Development & Vulnerability Discovery
In this talk, we present the first remote attack to infer network activity that requires no person-in-the-middle attack scenario. Our attack is based on the discovery that the remotely measurable network packet latency carries a significant amount of side-channel information tied to the activities on the victim system.
In contrast to previous person-in-the-middle attacks, we have neither a malicious proxy nor access to the local (wireless) network. Instead, our attack works from any arbitrary Internet user to any other arbitrary Internet user if network interaction can be initiated (e.g., through pings or through a background download).
We present an end-to-end attack where the victim loads an asset, e.g., a file or an image, from an attacker-controlled server. While the file or image is benign and possibly signed (e.g., in a package repository), the attacker can still use this connection to spy on the network activity on the victim system from the latency variations.
We present a no-person-in-the-middle video-fingerprinting attack, where we use a single SnailLoad trace to infer what video (out of a set of videos) a victim user is watching momentarily. SnailLoad marks a significant step ahead to more passive and less interactive fully remote attacks across the Internet. We discuss how future developments will influence the next generation of fully remote attacks.
The Way to Android Root: Exploiting Your GPU on Smartphone
Xiling Gong | Security Engineer, Google
Xuan Xing | Manager of Android RedTeam, Google
Eugene Rodionov | Technical Leader of Android RedTeam, Google
Date: Wednesday, August 7 | 4:20pm-5:00pm ( Mandalay Bay H, Level 2 )
Format: 40-Minute Briefings
Tracks: Mobile, Exploit Development & Vulnerability Discovery
GPU security is a vital area of mobile security highlighted both by public security research as well as by in-the-wild attacks. Due to the high complexity of the GPU software/firmware along with a widely available attack surface, issues in GPU provide strong exploitation primitives for local privilege escalation attacks by the code running in unprivileged context.
In this talk, we will focus our research on the Qualcomm Adreno GPU, which is a very popular GPU implementation in mobile devices. We will do a deep dive into Adreno GPU kernel module implementation focusing on the most recent GPU versions, reveal its complex and new attack surfaces, and discuss vulnerabilities we discovered in this component.
In total we identified 9+ exploitable vulnerabilities in Adreno GPU driver leading to kernel code execution and affecting Qualcomm-based devices using the latest GPU models. We will demonstrate the exploitation of one of the race condition issues on a fully-patched widely used Android device to obtain root privileges from zero-permission application with 100% success rate.
Android kernel mitigations such as CFI and W^X create significant hurdles for exploiting vulnerabilities in kernel to achieve code execution. Also race condition usually means unstable, low success rate. We’ll explain how we overcome these challenges with a novel, generic exploit method that leverages GPU features to achieve arbitrary physical memory read/write. This technique bypasses key mitigations (CFI, W^X) and has broader implications for kernel heap buffer overflows. We will cover the technical details of the exploitation, and especially the novel generic exploit method.
We will also discuss the action items that the vendors could take to minimize the impact of this exploit method, as well as general methods to improve the overall security status of the GPU.
THURSDAY, AUGUST 8th
Keynote: Fireside Chat with Moxie Marlinspike
Moxie Marlinspike | Founder, Signal
Jeff Moss | Founder of Black Hat and U.S. Department of Homeland Security Advisory Council, U.S. Department of Homeland Security Advisory Council
Date: Thursday, August 8 | 9:00–10:00 AM (Michelob ULTRA Arena)
Format: 60-Minute Keynote
Track: Keynote
Jeff Moss, the founder of Black Hat, and Moxie Marlinspike, the founder of Signal, sit down and delve into critical topics shaping the future of privacy. Drawing from real-world experience, Jeff and Moxie examine the complex tradeoffs between security and privacy. They detail examples of navigating these tradeoffs, shedding light on decisions and strategies that others have speculated about but have not had to do. They will also discuss why safeguarding personal information should be a core priority for developers and companies alike and the responsibilities cyber leaders play in this mission. Additionally, their conversation will explore the essential role of privacy in enabling social change. Don’t miss this unique opportunity to hear from two of the foremost thinkers in cybersecurity and privacy as they share their experiences, insights, and visions for a more secure and private digital future.
ACE Up the Sleeve: Hacking Into Apple’s New USB-C Controller
Thomas Roth | Founder, Hextree GmbH
Date: Thursday, August 8 | 10:20am-11:00am ( South Pacific F, Level 0 )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Mobile
With the iPhone 15 & iPhone 15 Pro, Apple switched their iPhone to USB-C and introduced a new USB-C controller: The ACE3, a powerful, very custom, TI manufactured chip.
But the ACE3 does more than just handle USB power delivery: It’s a full microcontroller running a full USB stack connected to some of the internal busses of the device, and is responsible for providing access to JTAG of the application processor, the internal SPMI bus, etc. Previous variants of the ACE, namely the ACE2 found in MacBooks, could easily be dumped and analyzed using SWD and even be persistently backdoored through a software vulnerability we found.
On the ACE3 however, Apple upped their game: Firmware updates are personalized to the device, debug interfaces seem to be disabled, and the external flash is validated and does not contain all the firmware. However using a combination of reverse-engineering, RF side-channel analysis and electro-magnetic fault-injection it was possible to gain code-execution on the ACE3 — allowing dumping of the ROM, and analysis of the functionality.
This talk will show how to use a combination of hardware, firmware, reverse-engineering, side-channel analysis and fault-injection to gain code-execution on a completely custom chip, enabling further security research on an under-explored but security relevant part of Apple devices.
How Hackers Changed the Media (and the Media Changed Hackers)
Sherri Davidoff | CEO, LMG Security
Lorenzo Franceschi-Bicchierai | Senior Writer/Editor, Cybersecurity, TechCrunch
Robert McMillan | Reporter, The Wall Street Journal
Sadia Mirza | Partner, Troutman Pepper
Date: Thursday, August 8 | 10:20am-11:00am ( Oceanside A, Level 2 )
Format: 40-Minute Briefings
Track: Community & Career
Cyber extortion gangs routinely send journalists (often unsolicited) details about their hacks, victims, and leaked information, hoping that their exploits will make the news and damage victims’ reputation. Journalists, in turn, are placed in a tricky situation, balancing the need to report accurate and true events with the ethics of empowering criminals. In today’s mature hacker economy, some gangs have developed formal media and PR programs (such as the BlackMatter gang, which invited journalists to register on their platform in order to get early notification of data breaches, and direct access to “ask questions and get information from the primary source.”)
Victims, too, manipulate the media when hacks and data breaches occur — often blaming nation-state actors, leveraging PR templates or selectively revealing details. How can journalists report the truth, while not empowering criminals? In this panel, seasoned Wall Street Journal reporter Robert McMillan will share his experiences talking with hackers and victims alike, how they attempt to manipulate journalists, and key strategies that he employs to ensure that articles are fair and accurate. We’ll also hear from journalists who routinely share screenshots and details from hackers — a different media strategy that also comes with the need for careful screening and ethical considerations by journalists. Along the way, we’ll discuss issues such as speed to publication, authentication of materials, corrections, vetting sources, and the victim perspective. Takeaways for the audience will include: strategies for talking to the press, benefits and drawbacks of sharing the victim perspective, and common mistakes to avoid when talking (or not talking) to the media.
OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe
Vladimir Tokarev | Senior Security Researcher, Microsoft
Date: Thursday, August 8 | 10:20am-11:00am ( South Seas AB, Level 3 )
Format: 40-Minute Briefings
Tracks: Exploit Development & Vulnerability Discovery, Application Security: Offense
OVPNX serves as our internal codename for 4 zero-day vulnerabilities discovered within the repositories of OpenVPN, the world’s most popular VPN. Those zero-days affect thousands of companies on major platforms like Windows, iOS, macOS, Android, and BSD. With millions of devices worldwide utilizing OpenVPN, our findings shed light on security risks on a global scale.
This session will explore the technical intricacies of our research, revealing how we uncovered these zero-days in OpenVPN. OpenVPN, being a complex multi-process system running across different privilege levels, including kernel components, relies heavily on OS APIs. We’ll explain how this understanding helped us identify logical vulnerabilities. The actual exploits additionally demanded a deep inspection at the bit and byte level and using reverse engineering. Attendees can expect a comprehensive description of a subset of identified zero-days, including a detailed root-cause analysis.
We will be focusing on demonstrating an exploit chain that starts with remote code execution. The chain starts by remotely attacking OpenVPN’s plugin mechanism, then we crash the NT System service by exploiting the stack overflow in OpenVPN system service. This results in a named pipe instance creation race condition that allows us to reclaim OpenVPN’s named pipe resource. Afterward, we will present an exploit that will impersonate a privileged user, resulting in privilege escalation and eventually leading to kernel code execution by BYOVD (bring your own vulnerable driver) by loading a vulnerable signed driver.
The presentation will also cover mitigation techniques, providing valuable insights into defending against potential attack scenarios. A demo will be presented, displaying a complete attack chain that includes RCE, LPE and KCE (via BYOVD) on the target system.
Swipe Left for Identity Theft: An Analysis of User Data Privacy Risks on Location-based Dating Apps
Karel Dhondt | Researcher
Victor Le Pochat | Postdoctoral Researcher, DistriNet, KU Leuven
Date: Thursday, August 8 | 10:20am-11:00am ( Oceanside C, Level 2 )
Format: 40-Minute Briefings
Tracks: Privacy, Mobile
Location-based dating (LBD) apps enable users to meet new people nearby and online by browsing others’ profiles, which often contain very personal and sensitive data. We systematically analyze 15 LBD apps on the prevalence of privacy risks that can result in abuse by adversarial users who want to stalk, harass, or harm others. Through a systematic manual analysis of these apps, we assess which personal and sensitive data is shared with other users, both as (intended) data exposure and as inadvertent yet powerful leaks in API traffic that is otherwise hidden from a user, violating their mental model of what they share on LBD apps.
As one finding of our research, 6 apps allow for pinpointing a victim’s exact location, enabling physical threats to users’ personal safety. All these data exposures and leaks — supported by easy account creation — enable targeted or large-scale, long-term, and stealthy profiling and tracking of LBD app users. While privacy policies acknowledge personal data processing, and a tension exists between app functionality and user privacy, significant data privacy risks remain. We recommend user control, data minimization, and API hardening as countermeasures to protect users’ privacy.
Laser Beams & Light Streams: Letting Hackers Go Pew Pew, Building Affordable Light-Based Hardware Security Tooling
Sam Beaumont | Director of Transportation, Mobility & Cyber-Physical Systems, NetSPI: Hardware & Integrated Systems Practice
Larry Trowell | Director of Hardware & Embedded Systems, NetSPI: Hardware & Integrated Systems Practice
Date: Thursday, August 8 | 11:20am-12:00pm ( Islander EI, Level 0 )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Exploit Development & Vulnerability Discovery
Stored memory in hardware has had a long history of being influenced by light, by design. For instance, as memory is represented by the series of transistors, and their physical state represents 1’s and 0’s, original EEPROM memory could be erased via the utilization of UV light, in preparation for flashing new memory.
Naturally, whilst useful, this also has proven to be an avenue of opportunity to be leveraged by attackers, allowing them to selectively influence memory via a host of optical/light-based techniques. As chips became more advanced, the usage of opaque resin was used as a “temporary” measure to combat this flaw, by coating chips in a material that would reflect undesirable UV.
Present day opinions are that laser (or light) based hardware attacks, are something that only nation state actors are capable of doing; due to both limitations of cost in tooling as well as personnel expertise required. Currently, sophisticated hardware labs use expensive, high frequency IR beams to penetrate the resin.
This project demonstrates that with a limited budget and hacker-and-maker mentality, similar results can be obtained at a fraction of the cost, from the comfort of your home or garage. With the modifications of an opensource low-cost microscope, addition of a home-built beam splitter and interchangeable diode laser, it has been shown that consumer-grade diodes are capable of producing results similar to the high-cost variants, such as the YAG lasers.
One example of results includes introducing affordable avenues to conduct laser-based fault injection, via the usage of such budget-friendly tooling. We are opening the study of these low-level hardware attacking methodologies to more entry-level security testers, without the need for hundreds of thousands of dollars in startup capital.
By leveraging more inexpensive technology alternatives, we have embarked on a mission to unveil hardware malware, detect supply chain chip replacements, and delve into the realm of laser logic state imaging. Our approach integrates optics, laser selection, and machine learning components.
Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
Alex Plaskett | Security Researcher, NCC Group
Robert Herrera | Senior Security Consultant, NCC Group
Date: Thursday, August 8 | 11:20am-12:00pm ( South Pacific F, Level 0 )
Format: 40-Minute Briefings
Tracks: Cyber-Physical Systems & IoT, Hardware / Embedded
Over the last year NCC Group found and exploited many different vulnerabilities within Sonos devices. This led to an entire break in the security of Sonos’s secure boot process across a wide range of devices and remotely being able to compromise several devices over the air.
We leveraged these vulnerabilities to perform hidden recordings of the microphone to demonstrate how a remote attacker could be able to obtain covert audio capture from Sonos devices.
In this talk, we will start off with an introduction to Sonos devices, and describe the device architecture and security controls implemented (such as secure boot and disk encryption).
Then we will move into a deep dive on the Wi-Fi driver architecture and attack surface on the Sonos One. The talk will then describe a vulnerability we identified in the WPA2 Handshake which can allow a remote attacker to compromise the kernel over the air.
The talk will then move to the exploitation of this issue and discuss the novel challenges of developing a remote kernel exploit. To wrap up this section, we will then perform a demo of the attack where we will turn the device into a wiretap capturing all the audio within the physical proximity of the compromised device.
Finally, we will discuss vulnerabilities and exploitation techniques that allowed us to develop the world’s first “jailbreak” of Sonos’s flagship device — the Era-100 by breaking the secure boot chain. This affected 23 Sonos products and allowed the extraction of cryptographic material.
Modern Anti-Abuse Mechanisms in Competitive Video Games
Julien Voisin | Security Researcher
Date: Thursday, August 8 | 11:20am-12:00pm ( Jasmine AE, Level 3 )
Format: 40-Minute Briefings
Tracks: Defense, Human Factors
Cheats are as old as video games, and will be there as long. But the technical cat-and-mouse game of anti-cheats versus cheat isn’t the whole story any more. Nowadays, cheats are considered part of a larger problem: abuses and toxicity. Cheats aren’t (only) hunted down because they’re morally questionable, but because they disturb the way the game is meant to be enjoyed. Toxic and abusive behaviors lead to the very same results: A game that isn’t fun to play because of cheating/abuse/toxicity issues will see its player numbers decrease, have poor reviews … and won’t make money.
In this talk, we’ll look at cheating and abuse/toxicity together, under the umbrella term abuse, and see how video game developers are trying to curb it, via both technical and non-technical mitigations.
Main Stage: Solving the Cyber Hard Problems: A View into Problem Solving from the White House
Harry Coker | National Cyber Director, Executive Office of the President
Steven Kelly | Chief Trust Officer, Institute for Security and Technology
Date: Thursday, August 8 | 12:40pm-1:05pm ( Oceanside A, Level 2 )
Format: 25-Minute Keynote
Track: Keynote
Cybersecurity is full of hard problems. The White House National Cyber Director’s Office was built to take on the hard, long-term challenges in order to seize the initiative from those who consider harming our nation. In his first appearance at Black Hat, National Cyber Director Harry Coker, Jr. will dive into the challenges his office is tackling to protect the nation’s digital infrastructure as well as how extreme coordination in the Federal Government and partners across the public and private sector are setting the course to improve the security of our digital ecosystem.
Locked Down but Not Out: Fighting the Hidden War in Your Bootloader
Bill Demirkapi | Security Engineer, Microsoft Security Response Center
Date: Thursday, August 8 | 1:30pm-2:10pm ( Oceanside A, Level 2 )
Format: 40-Minute Briefings
Tracks: Defense, Platform Security
Secure Boot is integral in shielding a computer’s boot environment from unauthorized code. By only allowing the execution of modules signed by Microsoft or the UEFI Certificate Authority (CA), it raises a barrier against attackers, primarily restricting them to vulnerabilities in legitimate code. While the bar for exploitation is high- typically requiring Admin or some physical access, the potential impact for disk encryption and malicious persistence is significant.
This talk is a deep dive into the systemic weaknesses which undermine the security of your boot environment. We’ll discuss what makes vulnerabilities in the boot stage so challenging to solve, yet so simple to find. We’ll review gaps in the response processes of first- and third-parties and to top it off, the speaker will share a preview of the approaches Microsoft is taking to protect customers at scale.
Quantum Security: Myths, Facts, and Realities
Jean-Philippe Aumasson | CSO, Taurus
Mark Carney | TBD
Tommaso Gagliardoni | Principal Cryptographer and Global Lead in Quantum Security, Kudelski Security, Switzerland
Nathan Hamiel | Senior Director of Research, Kudelski Security
Date: Thursday, August 8 | 1:30pm-2:10pm ( South Pacific F, Level 0 )
Format: 40-Minute Briefings
Tracks: Forward Focus, Cryptography
Quantum computing is slowly but inexorably crawling from the realm of research to commercial considerations. This futuristic technology inspires vivid cyber-dreams and images of teleportation, but this isn’t helpful for decision-makers today. As with any emerging technology, unknowns and complexities are exploited and transformed into hype, fueling funding efforts from governments, businesses, and beyond. But where does that leave us today? Many organizations are concerned about the risks of quantum computers and have started initiatives to address them, but they don’t know where to start. So, what risks do we need to be concerned about? How much of all this comes from informed scientific knowledge, and how much is driven by hype?
In this panel, seasoned experts in quantum computing, cybersecurity, and cryptography will address myths and reality of this technology, with a particular eye on its implications for security and the cost-benefit tradeoff of various solutions. We’ll also provide perspective on where to start when addressing risks from quantum computers. With the right approach you can ensure you are making the most out of your resources and activities.
Hook, Line and Sinker: Phishing Windows Hello for Business
Yehuda Smirnov | Red Team & Security Researcher, Accenture
Date: Thursday, August 8 | 2:30pm-3:00pm ( South Seas CD, Level 3 )
Format: 30-Minute Briefings
Tracks: Enterprise Security, Cloud Security
In my presentation, I will share a method to phish the phishing-resistant authentication mechanism, Windows Hello for Business (WHfB). Despite WHfB’s design to provide secure authentication through cryptographic keys, my research uncovers a method that allows attackers to downgrade this secure method to a more vulnerable, phishable one.
My research reveals how attackers can intercept and modify POST requests to Microsoft’s authentication services and manipulate the system into defaulting to a less secure authentication method. This is achieved by altering parameters such as User-Agent or isFidoSupported in the authentication request.
I will detail the exploitation process, showing how I have modified the EvilGinx framework to automate the attack, making it scalable. Furthermore, I will discuss mitigation strategies, specifically focusing on the implementation of conditional access policies that leverage authentication strength — a feature introduced after reporting the issue to Microsoft, designed to enforce the use of phishing-resistant methods.
This presentation aims to shed light on this flaw, to provide a deeper understanding of Windows Hello for Business and to encourage the adoption of enhanced security measures.
Unmasking Privacy Risks in Post-Cookie Adtech Solutions
Narayana Pappu | CEO, Zendata
Date: Thursday, August 8 | 2:30pm-3:00pm ( Islander FG, Level 0 )
Format: 30-Minute Briefings
Tracks: Privacy, AI, ML, & Data Science
The deprecation of third-party cookies is reshaping the adtech landscape, with a proliferation of alternative solutions promising privacy-preserving audience targeting and measurement. However, our research reveals that many of these approaches introduce subtle yet significant privacy risks that may undermine compliance with regulations like GDPR and CCPA.
Through systematic analysis of leading post-cookie adtech solutions, we demonstrate novel techniques to unmask individual users and correlate their behavior across platforms, despite purported anonymization. We show how vulnerabilities in hashed email-based IDs, clean room data matching, and cohort algorithms can be exploited to re-identify users at scale and assemble invasive profiles.
We also explore the privacy pitfalls of server-side tracking, where first-party data collection exposes users to backdoor third-party sharing without transparency or control. Drawing on case studies, we illustrate how design flaws in consent management platforms can be subverted to manufacture misleading compliance while enabling unauthorized data processing.
Attendees will come away with a clear understanding of the evolving privacy threat landscape in adtech, along with a framework to assess and mitigate risks when implementing new solutions. We’ll provide guidance to navigate technical trade-offs and strengthen privacy defenses in a post-cookie world.
Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels
Vangelis Stykas | CTO, Atropos
Date: Thursday, August 8 | 3:20pm-4:00pm ( South Pacific F, Level 0 )
Format: 40-Minute Briefings
Tracks: Threat Hunting & Incident Response, Malware
Ransomware groups have become notably proficient at wreaking havoc across various sectors, but we can turn the tables. However, a less explored avenue in the fight against these digital adversaries lies in the proactive offense against their web panels. In this presentation, I will delve into the strategies and methodologies for infiltrating and commandeering the web panels used by ransomware groups to manage their malicious operations or the APIs used during their initial exfiltration of data.
I will demonstrate how to leverage these vulnerabilities to gain unauthorized access to the ransomware groups’ web panels. This access not only disrupts their operations but also opens a window to gather intelligence and potentially identify the operators behind those APTs. Let’s explore the frontiers of cyber offense, targeting the very command and control (C2) centers ransomware groups rely on, turning the tables in our ongoing battle against cyber threats, it’s our turn to wreak havoc
Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface
Haikuo Xie | Security Researcher, Singular Security Lab
Fan Yang | Security Researcher, Singular Security Lab
Qinrun Dai | PhD Student, University of Colorado Boulder
Date: Thursday, August 8 | 3:20pm-4:00pm ( Islander EI, Level 0 )
Format: 40-Minute Briefings
Tracks: Exploit Development & Vulnerability Discovery, Application Security: Offense
Instant messaging application (such as iMessage and WhatsApp) is an important remote attack surface for smartphones, often used by spyware as the first step in APT attacks, and has received great attention in the past.
Carrier Based video calling, as a native video calling feature of mobile phones, is also a major remote attack surface for smartphones.
We have discovered fatal 0-day vulnerabilities in some native Carrier Based video calling of mobile phones, which have been present for at least 7 years. As long as the target accepts our video call invitation, we can exploit these vulnerabilities to remotely obtain code execution permissions for the target phone’s system.
In this session, we will introduce this remote attack surface we have discovered and provide a few examples to illustrate the potential issues and impacts that may arise within this attack surface.
Tracing Origins: Navigating Content Authenticity in the Deepfake Era
Peleus Uhley | Principal Scientist, Adobe Inc.
Date: Thursday, August 8 | 3:20pm-4:00pm ( Jasmine AE, Level 3 )
Format: 40-Minute Briefings
Tracks: Human Factors, Policy
With the wide availability of generative AI and deepfake technology, the world needs a way to identify the original sources of content and the alterations that occur throughout its existence. Every day we are bombarded with fake images and videos of celebrities, wars, and politicians. For the last several years, hardware, software, photography, news media, and microprocessor companies have joined forces as members of the Coalition for Content Provenance and Authenticity (C2PA). The goal of the C2PA is to provide hardware and software solutions to trace the origin of different types of media. Many of these same companies came together this year to sign a tech accord to combat the deceptive use of AI in the 2024 elections. As a result, support for C2PA is proliferating throughout the ecosystem, with the solution now being embedded into cameras, mobile phones, generative AI solutions, and news media reporting. However, this is just the beginning of the process.
C2PA will span a multi-year journey with challenges that require deep collaboration with the security and privacy community. As a conceptual issue, this is a complex cryptographic and technical solution that must be understandable by the average media consumer. From an operational perspective, the ecosystem must be robust and defend itself against potential threats from nation-state adversaries. Successful implementations must operate seamlessly at both the hardware and software layers. In addition, provenance must allow clear identification of authors while also supporting anonymity. This presentation will discuss the current state of deepfakes, the challenges that lie ahead, and how initiatives like the C2PA and other specifications are trying to address these issues.
Locknote: Conclusions & Key Takeaways from Black Hat USA 2024
Ellen Cram Kowalczyk | Security Engineering Manager, Google
Jeff Moss | Founder of Black Hat and U.S. Department of Homeland Security Advisory Council, U.S. Department of Homeland Security Advisory Council
Nathan Hamiel | Senior Director of Research, Kudelski Security
Window Snyder | Founder & CEO, Thistle Technologies
Jos Wetzels | Partner, Midnight Blue
Date: Thursday, August 8 | 4:20pm-5:00pm ( Mandalay Bay H, Level 2 )
Format: 40-Minute Keynote
Tracks: Keynote, Forward Focus
Join Review Board Members Nathan Hamiel, Ellen Cram Kowalczykik Window Snyder, Jos Wetzels, and Black Hat founder Jeff Moss as they conclude Black Hat USA 2024 with an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the conference’s key takeaways and how these trends will impact future InfoSec strategies.
CONTINUE TO: HACKER SUMMER CAMP 2024 — Part Fifteen: DEFCON 32 (COMING SOON)