Panel discussion on Diversity, Equity, and Inclusion in the information security community.
Discussion will be led by Olivia Rose and will feature three local technology leaders: Ian Washburn the Deputy Chief Information Security Officer and Director of Information Security at the University of Notre Dame, Jillean Battle the Chief Deputy Treasurer of State and Chief Privacy Officer for the State of Indiana, and Emily Oakes the Principal Unizin IT Consultant at Indiana University!
Gone are the days when only Nation State-Sponsored actors possess the ability to operate with such high degrees of sophistication that modern security solutions are incapable of providing adequate protection... We now live in the world where dedicated security professionals are forever behind the eight-ball and trying to catch up to the ever evolving capabilities and threat landscape born from the Offensive Cyberspace Operations practices. With exposure of strategic tactics, techniques, procedures and tradecraft, and increased availability of high-tech resources such as automation and artificial intelligence, capabilities that were exclusive to organization such as NSA, CIA, GRU, and FSB yesterday are at the fingertips of script-kiddies today.
Join us for this exclusive event where the experts behind the audacious Operation Borderland will pull back the curtain and expose some of the secrets of how the Borderland Implant is used to successfully bypass many modern security capabilities available today; and, how only by employing Next-Generation and Consolidated solutions can we hope to protect against such sophisticated capabilities. One lucky attendee will even be invited to become the "Operator" and initiate the tasking of our implant through our Command-and-Control system.
Cyber Security is a high-stress and high turnover industry with a seemingly ‘no-fail’ mission. There are countless complexities to manage. How do you manage the complexities and expectations of your role? How do you find a work life balance? How do you know when you are in burnout? How do you deal with difficult team members? How do you effectively manage your time? How do you build a positive, innovative culture? This discussion will highlight how to develop the mental performance skills needed to manage these complexities effectively and perform your best.
Cameras, CACs, and Clocks: A Story of Millions of Interrogated and Hacked xIoT Devices
We’ve unleashed our dark allies from the nightmare dimension on an unholy crusade to demonstrate cyberattacks for your enlightenment. If you love seeing devices compromised as much as we do, join us for a real hacking demonstration, detailed security research findings, and threat mitigation techniques that will disappoint bad actors. Share your new knowledge around the water cooler, apply these preventative security strategies within your own organization, and become the cool person at the office party everyone wants to hang out with regardless of that cat sweater you insist on wearing. We’ll share stories from the trenches involving cybercriminals, nation-state actors, and defenders. Our presentation will detail findings from over six years of xIoT threat research spanning millions of production devices in enterprises and government agencies around the world. We’ll identify various steps organizations can take to mitigate risk while embracing a Things-connected world. We’ll also demonstrate a hack against an xIoT, or Extended Internet of Things, device. For those who would say, “But they’re just security cameras monitoring the parking garage, wireless access points in the cafeteria, or PLCs controlling robotic welding arms; what harm can they cause?” - this will illuminate that harm. xIoT encompasses four disparate but interrelated device groups that operate with purpose-built hardware and firmware, are typically network-connected, and disallow the installation of traditional endpoint security controls. The first group contains enterprise IoT devices such as VoIP phones, security cameras, wireless access points, network attached storage, and printers. The second group includes OT devices such as PLCs, building automation systems, and industrial control systems. The third group consists of IoMT assets such as infusion pumps, patient monitors, and wireless vital monitors. The fourth group contains IIoT devices like robotics, smart factory systems, and temperature sensors. There are over 50 billion xIoT devices in operation worldwide. Most of these devices run well-known operating systems like Linux, Android, BSD, and various real-time operating systems like VxWorks. Additionally, many xIoT devices have open ports, protocols, storage, memory, and processing capabilities similar to your laptop. But there is a major difference. Even though most enterprises and government agencies have tens to hundreds of thousands of these devices in production, they go largely unmanaged and unmonitored. These xIoT devices typically operate with weak credentials, old, vulnerable firmware, extraneous services, and problematic certificates. This massive, vulnerable xIoT attack surface is being successfully exploited by bad actors engaging in cyber espionage, data exfiltration, sabotage, and extortion, impacting xIoT, IT, and cloud assets. Nation-states and cybercriminals have shifted their focus to xIoT attacks. Why? Because they work. Military-grade xIoT hacking tools are in use, cybercrime for hire that’s predicated on compromised xIoT devices has been monetized, and organizations worldwide are already “pwned” without even knowing it. Bad actors are counting on you being passive by not mitigating xIoT security risks. They want you to fail so they can continue to evade detection and maintain persistence on your xIoT devices. Disappoint them! Take your xIoT devices back by understanding how to hack them, recognizing where they’re most vulnerable, and employing strategies to successfully protect them at scale.
An interactive presentation on tools and techniques for gaining interest and skills in K-12 students in schools, community groups, and at home. With a centering on ethical hacking and practical pentesting, participants will get to experience exciting and fun models for learning as well as some fun samples of very evil children's toys. Led by Joshua Streiff who both manages IU's hacker house and is lead on educational outreach, of IU Luddy's Internet of Things, this talk is for all ages and skill levels.
Panel discussion on Diversity, Equity, and Inclusion in the information security community.
With the increase in security incidents happening across companies, Incident response teams are in the spotlight. An Incident Response Playbook will help the team organize the process and provide guidance during the time of chaos. Join me to understand: Why a Playbook is extremely important in the Incident Response process, What a Playbook is and How to build one for your company from scratch.
DUALITY – Advanced Red Team Persistence through Self-Reinfecting DLL Backdoors for Unyielding Control
During advanced red team engagements, a goal may be to compromise an executive's machine within a network. Typically, the proof-of-concept for this type of goal depicts a screenshot of the executive's desktop, email application, or other similar point-in-time proof. In some cases, an organization may be interested in long-term access to an executive's machine, to highlight the potential impact of long-term compromise and access. Presently, host persistence options are well-signatured by capable Endpoint Detection and Response (EDR) solutions. Options such as auto-startup programs, registry key combinations, and scheduled tasks are under high scrutiny by EDR solutions. Backdooring a single DLL as a form of host persistence may be feasible with current solutions, such as DLL proxying or using the backdoor factory. However, singularly backdoored DLLs are susceptible to program updates which can remove the backdoored DLL. DUALITY can solve this problem by presenting tooling and a sequence of techniques to backdoor two or more DLLs, resulting in a 2-in-1 mechanism for initial access and long-term persistence. This solution can outlive multiple simultaneous program updates for longer-term persistence using backdoored DLLs only. Each infected DLL checks and reinfects other DLLs (the DUALS) as needed. The tooling to be released includes pipelines that perform PIC compilation and a Cobalt Strike aggressor script to interact with backend infrastructure, making this capability operation-ready. After DUALITY logic in a backdoored DLL executes, shellcode-based process injection is performed from the backdoored DLL to keep one C2 implant alive. An encrypted, clean version of NTDLL is included in backdoored DLLs to aid with stealthy DUALITY logic such as process injection. Ultimately, by automating and weaponizing DUALITY-backdoored DLLs, this project hopes to bring more attention to applications loading userland DLLs without signature checking.
As a valuable addition to lengthy and complex privacy policies, Apple has introduced app privacy labels aimed at helping users understand an app's privacy practices more easily. However, the presence of false and misleading privacy labels can deceive privacy-conscious consumers into downloading data-intensive apps, ultimately undermining the credibility and integrity of these labels. Although Apple provides requirements and guidelines for app developers to create accurate privacy labels, little is known about the extent to which these labels in the real world are both correct and compliant, reflecting the actual data practices of iOS apps. This work presents the first comprehensive study, utilizing our newly developed methodology called Lalaine, to assess the consistency between data flow and privacy labels (flow-to-label consistency). Lalaine examined the privacy labels and binaries of 5,102 iOS apps, shedding light on the prevalence and seriousness of privacy label non-compliance. Through detailed case studies and analysis of the root causes behind privacy label non-compliance, we offer valuable insights that complement existing knowledge. These findings contribute to the improvement of privacy label design and compliance requirements, enabling app developers, platform stakeholders, and policy-makers to better fulfill their privacy and accountability objectives. Lalaine has undergone rigorous evaluation for its high effectiveness and efficiency, and we are diligently reporting the results to stakeholders in a responsible manner.
From data centers to network closets, office desktops to public kiosks, laptops to phones when attackers gain physical access to IT or OT assets it is very hard to prevent their attempts to steal data or outright theft of the assets. This training is an overview of some of the ways attackers gain physical access to and attack IT and OT assets once they have physical access, and some ways to detect and prevent them. This training will include demos and hands on experience with common lock picking and bypass techniques. Technical based attacks will also me demonstrated for after physical access is gained. This talk is relevant to anyone with an interest in physical security, or responsibility for securing cybersecurity infrastructure in any capacity, digital or physical. Participants will gain familiarity with common bypass techniques and technical attacks, enabling them to better evaluate physical security around IT and OT assets in their organization.
There are over 3 billion Chrome users across the globe, with nearly 200,000 active Chrome extensions available in the Chrome webstore. Chrome extensions have garnered increasing popularity and have become so ubiquitous due to their ease of installation, additional functionality, and customization options. The demand for sophisticated Chrome extensions has become a gateway for attackers to exploit browsers and sensitive information. According to industry data, there was an increasing trend to install malicious extensions, resulting in over 1,300,000 install attempts between 2020-2022. With Chrome extensions possessing privileged permissions, attackers can not only get unauthorized access to high value data but can also change the browser behavior by injecting malicious code, leading to critical attacks like XSS and CSRF. Malicious extensions can exfiltrate data unbeknownst to the user, resulting in a breach of privacy. No single Chrome security control can fully protect against all exploitations, but a layered approach has a proven success rate. Protecting against malicious extensions requires a multifaceted approach. Not only is a foundational knowledge of browser interactions necessary, but also an understanding of how the extension manifest dictates the permission, privacy, and security of an extension. Furthermore, additional layers to this pipeline should be default-deny, security extension analyzers, and leveraging browser isolation agents to investigate the extension behavior post-loading. In conclusion, this presentation will cover the pressing security concerns surrounding Chrome extensions, inform of the present challenges of the available solutions, and highlight our company's innovative approach to mitigating these risks. By implementing robust security measures with enhanced control and monitoring capabilities, we aim to significantly reduce the threats associated with Chrome extensions, ensuring a safer and more secure browsing experience.
How to do a forensic investigation without dedicated tools or advanced training. This is for you if you suspect that your system has been hacked and you: * don't need to preserve evidence * not working with law enforcement * not going to court * not required to submit cyber insurance claim * just need to find out what went wrong and why * need to get your service back into production ASAP
LLM attacks & OWASP Insights: Let’s explore the world of LLM (Large Language Model) attacks with an introduction to the new OWASP LLM Top 10. The explosion of ChatGPT has caused major disruption among nearly industry. These models are wonderful tools, but also fallible, and many are untested. OWASP published their top 10 vulnerabilities and threats to these models in Early August of 2023.
In 2015, HD Moore published an article disclosing over 5,800 gas station Automated Tank Gauges (ATGs) which were publicly accessible. Besides monitoring for leakage, these systems are also instrumental in gauging fluid levels, tank temperature, and can alert operators when tank volumes are too high or have reached a critical low. ATGs are utilized by nearly every fuelling station in the United States and tens of thousands of systems internationally. For remote monitoring of these fuel systems, operators will commonly configure the ATG serial interface to an internet-facing TCP port. The process for accessing these systems is quite simple: telnet to the port and issue documented TLS-350 or TLS-250 commands to execute everything from setting alarm thresholds to editing sensor configurations and running tank tests. While tools such as Nmap include scripts for enumerating these devices, the functionality is generally limited to In-Tank Inventory Reports and System Status Reports. These scripts are good for reconnaissance, but what if an attacker decided to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown? Could an attacker shutting down over 7,000 fueling stations in the United States with little effort leave the nation crippled? I believe the answer is clear.
As a valuable addition to lengthy and complex privacy policies, Apple has introduced app privacy labels aimed at helping users understand an app's privacy practices more easily. However, the presence of false and misleading privacy labels can deceive privacy-conscious consumers into downloading data-intensive apps, ultimately undermining the credibility and integrity of these labels. Although Apple provides requirements and guidelines for app developers to create accurate privacy labels, little is known about the extent to which these labels in the real world are both correct and compliant, reflecting the actual data practices of iOS apps. This work presents the first comprehensive study, utilizing our newly developed methodology called Lalaine, to assess the consistency between data flow and privacy labels (flow-to-label consistency). Lalaine examined the privacy labels and binaries of 5,102 iOS apps, shedding light on the prevalence and seriousness of privacy label non-compliance. Through detailed case studies and analysis of the root causes behind privacy label non-compliance, we offer valuable insights that complement existing knowledge. These findings contribute to the improvement of privacy label design and compliance requirements, enabling app developers, platform stakeholders, and policy-makers to better fulfill their privacy and accountability objectives. Lalaine has undergone rigorous evaluation for its high effectiveness and efficiency, and we are diligently reporting the results to stakeholders in a responsible manner.
Generative AI tools have taken the world by storm and now hold pride of place as the single greatest source of technological disruption in this still young decade. From the Fortune 500, to Silicon Valley startups, to major consultancies, workers and managers are using AI tools to get better work done faster. But in the world of security, there's no such thing as an unalloyed good. Every innovation carries risks and every solution carries drawbacks. In this talk, we examine the key ways in which this new wave of AI tools generate novel business risk and, more importantly, how those various forms of risk can be managed.
Imposter Syndrome is a real thing in our professional life and can have a serious impact on our mental health and professional growth, especially in our industry and coming out of the COVID-19 pandemic. I will discuss the aspects of this issue, it's impacts, and how to overcome this, both for yourself and others.
How to Win Your Penetration Test: Tips, tricks, and theories for getting the most value out of an offensive security test.
We may be biased, but Penetration Tests are the Swiss Army knife of information security. There is no more effective way to find your gaps, gauge your ability to detect and respond, or protect your crown-jewels than by running a live-fire exercise. However, don’t just buy the penetration test and wait for the results; there are numerous things you can do to ensure you wring out every last drop of value. Please join us for a candid conversation with some of the best offensive security minds on the planet. What you’ll learn: • Major test types, and what questions they might help you answer • How to get more than just findings • Why you want to make your pen testers life hard.
Gone are the days when only Nation State-Sponsored actors possess the ability to operate with such high degrees of sophistication that modern security solutions are incapable of providing adequate protection... We now live in the world where dedicated security professionals are forever behind the eight-ball and trying to catch up to the ever evolving capabilities and threat landscape born from the Offensive Cyberspace Operations practices. With exposure of strategic tactics, techniques, procedures and tradecraft, and increased availability of high-tech resources such as automation and artificial intelligence, capabilities that were exclusive to organization such as NSA, CIA, GRU, and FSB yesterday are at the fingertips of script-kiddies today.
Join us for this exclusive event where the experts behind the audacious Operation Borderland will pull back the curtain and expose some of the secrets of how the Borderland Implant is used to successfully bypass many modern security capabilities available today; and, how only by employing Next-Generation and Consolidated solutions can we hope to protect against such sophisticated capabilities. One lucky attendee will even be invited to become the "Operator" and initiate the tasking of our implant through our Command-and-Control system.