2021 Talks

Keynote: Brain Hacking

Konrad Kording

Keynote: A Fireside Chat With Jack Daniel and Chris Krebs

Chris Krebs

Gamification of Tabletop Exercises

Proving Ground

Standard tabletop exercises (TTXs) are a staple of security risk assessment and are, generally, useless. The same people read verbatim from the same IR/DR/BCP plans, half asleep, wondering how fast they can check this stupid box for their SOC 2 audit. Most of the time, neither the participants nor the facilitator want to be there, and no one comes away having learned anything except to call in sick the next time one is scheduled.

Tabletop Role Playing Games (TTRPGs), on the other hand, bring all the hackers to the yard. While the Venn diagram between gamers and hackers isn’t a perfect circle, it’s probably close. TTRPGs combine elements of simulation, teamwork, and lateral thinking, with just enough random chance to keep it interesting.

Participants will learn about the differences and similarities between TTXs and TTRPGs, why someone would want to gamify a professional exercise, and what makes a game sing.

Kelly Ohlert, Dr. Allan Friedman

Analyzing AutoIt Malware: Tools and Techniques

Proving Ground

AutoIt is a scripting language intended for users and administrators that need to automate repetitive or tedious tasks in Windows. Due to its ease of use and powerful capabilities, AutoIt is used quite frequently by malware authors. Although it is common to find AutoIt malware in the wild, concrete instructional resources for analysis are few and far between. This talk aims to fill that gap by introducing the tools and techniques required for analysis through demonstration and case studies.

Mr. Chris Neal, Jerome Radcliffe

Secure your AWS accounts without breaking the bank

Proving Ground

AWS is everywhere, behind most internet infrastructure, and a fixture of any well-rounded tech resume. However, AWS offers a dizzying number of services, making it hard to know how to navigate their services to secure your accounts and users. Within these dozens of offerings, there is a selection of security services that can up your security while increasing your monthly bill only a little - or not at all.

Whether you work at a startup or a well-funded company, matching budget to security needs is always a struggle. In this session, I describe some of the free services AWS provides and some easy automation techniques that can keep your accounts safer without hitting your budget hard. I’ll address solutions to common problems like DoS, securing data at rest and transit, and implementing effective authentication and authorization. This talk will be accessible to software engineers without extensive security or AWS experience.

Nishith Shah, Dr. John Seymour

Revisiting the Analog Hole: Using OCR and other techniques to exfiltrate data

Proving Ground

“The Analog Hole” refers to the fact that in order for a user to work with information, it has to be converted into a human-usable form.

This talk looks at Optical Character Recognition (OCR) and other techniques which can be used to covertly extract data by taking advantage of this fact.

Samuel J Greenfeld, Lucas J Morris

Human Security Spaghetti & the Wall you're Throwing it at

Proving Ground

The conversation about data leakage has officially flipped from “if” to “when” a company will be breached by malicious actors. With over 75% of breaches streaming from credential theft, social engineering, and user error, an organization’s ability to train and adapt its employees’ behaviors becomes the cheapest and most effective way to delay compromise. The simulations and training offered by most security education teams do not mimic real life situations, do not parallel the behaviors that lead to breaches, do not track meaningful metrics, and are not adapted to protect against the real attacks that organizations receive. Moving from the “knowing is half the battle” GI.Joe model of outdated security awareness, to a data-driven behavioral engineering approach will close that gap.

Masha Arbisman, Tom Porter

Secure Mail Takes Professionalism

Proving Ground

Your email address is the center of your digital life - which is why you can’t afford to lose possession of your email account. There are hundreds of commercial email providers on the internet boasting about their commitment to their customers’ privacy and security - but how can you tell who can actually keep your email safe?

This talk compares notable email providers across a set of security-focused criteria.

Jeremy Brown, Ms. Cheryl Biswas

GCP BigQuery as Security Detection Platform

Ground Truth

Every day, we are faced with more and more security data to triage and analyse. SIEMs have been present for years in Security Operation Centers, and many have limitations that have become obvious with the migrations to cloud, especially when it comes to high volumes of data and statistical analysis.

We as well have faced this issue, so we took the opportunity to explore unconventional solutions and team up with data scientists to better understand how to manage the volume of data. By doing this, we’ve leveraged BigQuery, the big data platform from Google Cloud Platform.

BigQuery has allowed us to use the power of SQL for security detections and investigations, creating a security detection framework based on infrastructure as code, and applying the power of machine learning built on GCP services to leverage anomaly detection.

When dealing with these type of difficulties, we need to adapt with new tools and techniques. We want to share our lessons learned with the community and show that the path to security big data is not so overwhelming as it first may seem: with good support and community, everything is possible.

Diana Kramer, Norberto García Marín

Aristotle In Security: How an Ancient Greek Can Improve Your Security Program

Proving Ground

Security teams have always needed to build a rock solid business case to justify their expenditures over “shinier” projects… like pretty much anything that generates revenue. And as companies race to modernize and innovate, there are more of those shiny projects competing with limited technology budgets than ever. By taking lessons from an ancient playwright, security teams can better articulate their business cases, capture their executive’s attention, and secure the funding they need to help protect their organization against an increasingly dangerous and diverse threat landscape.

Mr. Brandon Clark, Chester Wisniewski

All Software is Open Source: An Introduction to Reverse Engineering

Common Ground

Commercial software is full of dark secrets - embedded keys and passwords, hidden backdoors, security vulnerabilities… But with companies guarding proprietary source code, is there any hope of discovering and rectifying them?

Enter Reverse Engineering. With its powerful tools and techniques, you can analyze any closed-source software, and have fun doing it!

Dmitriy Beryoza

Static Detection of Novel Malware Using Transfer Learning with Deep Neural Networks

Breaking Ground

Nation-state adversaries are known to write custom malware to conduct cyberwarfare operations, which may go undetected simply due to the novel nature of the malware. According to the United States Congress, foreign militaries are using malware against military information networks to cause the loss of “combat effectiveness.” Industrial control system malware like Triton also has the potential to impact civilian lives. To counter this threat, we propose a method of malware detection using transfer learning with image classification neural networks to statically classify executable binaries as malicious or benign.

Our model can effectively detect malware not in the training data set, including nation-state malware. Most of our tests against nation-state malware gave us over 90% accuracy, with ordinary malware at over 93% accuracy. Our tests included malware written by APT 1, 10, 19, 21, 28, 29, 30 as well as Dark Hotel, Gorgon Group, and Winnti.

While previous research exists on this topic, most of it lacks enough detail to properly replicate the results and use it operationally. Our work aims to be the opposite, providing enough transparency and code to create operational knowledge and provide the audience with the capability to immediately employ this work in threat hunting operations.

Emily Rexer, Henry Reed

AI in a Minefield: Learning from Poisoned Data

Ground Truth

Many security technologies use anomaly detection mechanisms on top of a normality model constructed from previously seen traffic data. However, when the traffic originates from unreliable sources the learning process needs to mitigate potential reliability issues in order to avoid inclusion of malicious traffic patterns in this normality model. In this talk, we will present the challenges of learning from dirty data with focus on web traffic - probably the dirtiest data in the world, and explain different approaches for learning from dirty data. We will also discuss a mundane but no less important aspect of learning – time and memory complexity, and present a robust learning scheme optimized to work efficiently on streamed data. We will give examples from the web security arena with robust learning of URLs, parameters, character sets, cookies and more.

Mr. Itsik Mantin

You Don’t Have to Be Crazy to Work Here: An Honest Talk About Mental Health

Common Ground

Cybersecurity professionals spend most of their day focused on the health and wellbeing of the environments in their care. However, the cost of reducing risk and keeping our networks safe often comes at the price of our professionals’ mental health. Many InfoSec professionals burn out, suffer from anxiety and depression, and turn to unhealthy coping mechanisms, which further exacerbate underlying psychological and physical health issues.

This talk will alleviate the stigma around mental health and stress the importance of open and frank dialogs about this critical issue impacting our community. I will share my journey, reverse engineer the stigma of mental health in business, and look at ways to hack mental health in productive and meaningful ways.

Mr. Douglas A Brush

All your Ether are belong to us (a.k.a Hacking Ethereum-based DApps)

Breaking Ground

Blockchain technology is extremely fascinating… has captured our imaginations because of its huge potential to revolutionize industries such as logistics, food safety, music, insurance, banking, and even voting systems; however, its adoption is still very scarce. The reason is simple: blockchains are complex to use by end users.

During recent years, decentralized applications (DApps) have been emerging as candidates to change the rules of the game, mainly because of their ease of use and capability to leverage the full power of blockchains. The big question is… are DApps really secure?

This presentation will show how Ethereum-based DApps work, the technology behind them and some of their most common vulnerabilities. The ultimate goal will be to understand how to attack these applications and, especially, what to do to be protected.

Luis Quispe Gonzales

QuadBlockQuiz - Supply Chain Sandbox Edition

I Am The Cavalry

To teach supply chain risk in a fun way, a game was developed for the Supply Chain Sandbox at RSAC. QuadBlocksQuizis a reimagined take on Tetris where playful spatial negotiations are infused with real-life Trivia challenges from the world of supply chain security.

The talk will begin with why the game was developed and a recap of the 5/18/21 Sandbox event. It will cover the development of the game from the players’ perspective, the developers’ perspective, and the educators’ perspective. The talk will include live demo’s, pre-recorded demo’s (some situations just take to long to get to in real-time), and 10-minutes of live contest play with as many attendees as are willing to play.

Duncan Sparrell

Latest Threats and Vulnerabilities to Mission-Critical SAP Applications

Common Ground

Mission-critical business applications such as ERP, CRM, PLM, HCM, SCM and BI are the lifeblood of every organization. These applications are often supported by SAP for many large organizations, handling most business processes and storing sensitive data. It’s where customer, sales, financial, product, services, employee information, and trade secrets live.

However, a recent cyber threat intelligence report from Onapsis and SAP highlights active threat actor activity seeking to target, identify and compromise organizations running unprotected SAP applications through a variety of cyberattack vectors.

This talk is designed to help risk, cybersecurity and SAP leaders implement a specific mission-critical application protection program as part of their overall cybersecurity and compliance strategy to effectively and comprehensively protect these applications.

JP Perez-Etchegoyen

Repo Jacking: How GitHub exposes over 70,000 projects to remote code injection

Breaking Ground

Does your project depend on a GitHub repository? It might be vulnerable to remote code injection. This talk will discuss ‘repo jacking’, an obscure supply chain vulnerability that allows attackers to hijack GitHub repositories and achieve remote code execution. This vulnerability has become exceedingly widespread in open-source projects and over 70,000 projects are affected, including popular projects from organizations such as Google, Facebook, Microsoft, and many more. Repo jacking can affect any language and has been found to impact small personal games, huge web frameworks, cryptocurrency wallets, and everything in between.

Come learn about this vulnerability, what causes it, and why it has gone unnoticed for so long. See how a mass analysis of all open source projects was performed to scan for repo jacking and the outcome of this analysis, how prevalent it is, and who is impacted. This talk will also discuss how, through targeted disclosure, over 40% of impacted projects were secured and how a version pinning bypass vulnerability (in both NPM and pip) further increased the impact of repo jacking. Finally, this talk will review important mitigation strategies that you can use to protect your own projects from this vulnerability and other supply chain attacks.

Mr. Indiana Moreau

A Serverless SIEM: Detecting All Baddies

Breaking Ground

Commercial SIEMs are expensive, inflexible and risk a vendor lock-in. At Cloudflare, we built a SIEM using a Serverless architecture that provides scalability and flexibility to perform various Detection and Response functions. We will discuss this architecture and how it can be built upon to solve many Security problems, in a true pay-as-you-use model after 2 years of use handling Cloudflare’s data.

Chen Cao, Daniel Stinson-Diess

Ghost DMA Attack & The SeDeFuS Conundrum

Breaking Ground

A DMA attack is the exploitation of a computer’s ports to access sensitive data. When an external device plugs into a computer, it connects using direct hardware access to read or write directly to main memory without any operating system supervision or interaction. OS security policies are bypassed, allowing the connected device to directly read or write sensitive data, presenting an opportunity for a DMA attack. If your computer has such a port (e.g., Thunderbolt port), an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep. DMA attacks so far have required physical access to a computer to launch a successful attack (e.g., Thunderclap, Thunderspy). In this talk, we present a new class of DMA attack, i.e., Ghost DMA attack, that does not require physical access to the computer. Attack is launched by malicious 3rd party apps/FW (malware) that run on platform integrated HW subsystems (PCIe endpoints) by manipulating/programming the subsystem’s DMA Engine to perform arbitrary accesses to host physical addresses space, bypassing OS security policies. We will present a demo to show Ghost DMA attack in action.

Dr. Raghudeep Kannavara, Alan Sheng

Bad Neighborhoods – data-driven detection of malicious internet infrastructure

Ground Truth

Most threats involve communication with the internet at some stage of their attack, and require an IP address to do so. We propose that IP addresses form an attractive target for analysis, as they are fundamental, and difficult to mask.

We introduce two novel machine learning approaches aiming to model structural bias of the internet. Our primary aim is to develop models that provide a reputation score for an IP address based on the neighboring IP addresses reputation in a data driven manner.

IP addresses are important signals themselves, but there are additional features that we can augment our data with: e.g. the internet service provider or country of the provider. If we have the domain at our disposal, we can augment our feature set with information, such as the nameserver resolving the A and PTR records of the domain, or the WHOIS records of the domain. Our secondary goal aims for the models to be flexible enough to handle additional features to further improve accuracy.

IP addresses can host mixed content, and thus the performance of these models (unsurprisingly) will not be robust enough to support a stand-alone deployment, we nevertheless obtain valuable signals for more complex protection systems.

Tamás Vörös

Let’s Chat About SOC 2s, Baby

Common Ground

“How do we get a SOC 2?” Do those words strike fear and anxiety into your heart as an infosec professional? Do you have visions of being buried under a mountain of fancy risk management software, endless numbers of spreadsheets, and losing sleep for weeks implementing complex audit logging software? Well, take a deep breath and join this talk, in which we break down how to achieve SOC 2 Type II compliance without losing your mind. Your guide today has led many companies of various sizes- but mostly tiny startups- through several years of successful SOC 2 audits, and is here to break it all down. Bring your notebook as we explain why and how.
This talk will not focus on endless checkboxes, or push compliance at the expense of security. Instead, it will be a real world view of how to achieve compliance audit success without wasting your time, creating busy work, undoing your hard work securing your users’ data, and building a resilient architecture. We’ll explore how to automate, what to automate, how to build a control set that fits your organization, and how to come out the SOC 2 hero.

Ms. Wendy Knox Everette

A Journey To Zero Trust


How can you ensure that someone can’t bring an unmanaged device to the office that is compromised with ransomware, plug it in, and spread it throughout the environment causing similar outcomes to WannaCry, NotPetya, etc.? How can you ensure you can build a 100% accurate asset inventory? These all seem like easy problems to solve, but within today’s landscape, it’s a lot more complicated. Throughout this talk, we will walk through our journey to implementing a Zero Trust Model that ensures all devices are authenticated, healthy (e.g. EDR, Network Protection, and Vulnerability Mgmt Tools Installed ), and accounted for.

So why is this so complicated today? Because, endpoints can be secured with multiple solutions depending on if it’s mobile, personally owned, company-owned, cloud, or on-prem. It’s also important to identify the level at which you want to secure the endpoint.

While there isn’t a cookie-cutter approach to this new concept of Zero Trust, we hope to provide some insight into how to start the journey by considering what Zero Trust means to you, what the implementation would look like, and the prioritization of all groups involved.

Joshua Danielson, Ms. Brittany D Little, Dileep Gurazada

Manage Your Attack Surface on a Budget

Common Ground

Today, companies aren’t assessing their attack surface, don’t know where their sensitive data is, and if they do, they are investing in expensive attack surface management solutions that still provide incomplete results.

Whether by accident or malicious intent, we’re seeing companies like Spotify, Hobby Lobby, and others exposing sensitive data to the internet. How can you ensure that your assets are properly managed and cannot be exploited, while also knowing where your sensitive data should and shouldn’t be? More importantly, how can you do this on a budget? In this talk, we’re going to explain Scout, which is an open-sourced solution built by the Copart Cybersecurity team to help us move toward solving data identification, on a budget.

With Scout, we can track a complete list of artifacts ensuring bad actors cannot exploit any unmanaged IPs and/or ports. For managing sensitive data, how do you know developers aren’t replicating a sensitive DB from their laptop? With Scout, we combine existing technologies (e.g. vulnerability management products) to identify any unauthorized data storing housing sensitive data.

With Scout, we can identify assets and data exposed to the internet at a minimal cost and we’re looking to open source both tools.

Ms. Brittany D Little, Dileep Gurazada, Joshua Danielson, Anchal Raheja

The power of guardrails: How to slash your risk of XSS in half

Breaking Ground

Many companies keep seeing the same kind of security bugs pop up, month after month, year after year. And oftentimes these aren’t new, esoteric, never before seen bug classes. No, these are classic bug classes we’ve known about and have been on the OWASP Top 10 for years - cross-site scripting (XSS), SQL injection, etc.

We believe the future of security lies in getting rid of common vulnerabilities by making the default option the safe option. Whether it’s called “secure defaults,” “guardrails”, or building a “paved road,” the method is the same: establishing a set of secure coding defaults that are reinforced by lightweight static analysis.

We present a study based on vulnerabilities from real code showing that secure defaults can significantly raise a company’s security bar. Specifically, we find that embracing secure defaults could have prevented 57% of the 140 instances of XSS across 125 repos on GitHub using Java, Ruby, Python, JavaScript, or Golang. We’re releasing our dataset so that our research can be replicated or extended, and a free set of rules that you can immediately run on your own code to prevent XSS from occurring in the future.

Colleen Dai, Grayson Hardaway

Revenge on the Worms! Towards Deception Against Automated Adversaries

Ground Truth

Automation and artificial intelligence (AI) are both hugely beneficial for cyber defenders. This holds true for red teams too – AI-enabled vulnerability discovery, penetration testing, and red teaming are all active applied research topics. But if we can use AI for our red teams, can our adversaries as well? In the same way we use AI for automated red teaming, we can easily imagine even low-sophistication threat actors creating stealthy, efficient, and extremely fast attacks with a simple push of a button. How should we defend against this?

We think deception is the answer: by crafting deceptions that specifically target automated decision-making algorithms, we can slow down the misuse of AI and automation by adversaries. In this talk, we’ll expand on this thesis, discussing both how the AI automated planning subfield can help malicious actors as well as how planners can be deceived. Our talk will outline a series of simulated experiments we ran showing which types of deception actions/topology modifications made our networks more challenging for an automated planner to compromise. Through this talk, we hope to increase awareness and inspire future research into the area of using deception against automated adversaries.

Andy Applebaum, Dr. Ron Alford

Virtualizing Your Ford SYNC3 for Fun and Profit

Breaking Ground

Vehicle security has attracted a lot of attention lately, but not everyone can afford a vehicle dedicated for research. In this presentation, we will demonstrate how we virtualized SYNC3 –the proprietary Ford infotainment system running on QNX, and make it work in QEMU. Our environment is able to bring up most of SYNC3’s components, including the Bluetooth stack, which we will delve deep into in the second part of the presentation. We have also developed a toolchain that allows us to debug and fuzz SYNC3’s programs at scale.

In the second part, we will delve into our research on BtStack, the custom Bluetooth stack of SYNC3 to showcase how the virtualized environment and toolchain benefit us. We will first provide details from our reverse engineering and discuss our research methodology. We implemented a virtual Bluetooth controller to interact with the Bluetooth stack, which makes it possible to conduct fuzzing and testing without a car.

Finally, we will present and analyze some of the bugs we discovered throughout our research.


Search engine deoptimization with Gootloader

Breaking Ground

The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.

In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.

In addition to the REvil and Gootkit payloads, Gootloader has been used most recently to deliver the Kronos trojan and Cobalt Strike.

In its latest attempts to evade detection by endpoint security tools, Gootloader has moved as much of its infection infrastructure to a “fileless” methodology as possible. While it isn’t completely fileless, these techniques are effective at evading detection over a network – right up to the point where the malicious activity trips over behavioral detection rules.

Andrew Brandt, Gabor Szappanos

Lessons Drawn From Cybersecurity In The Rise of Privacy Tech

Common Ground

There is increasing interest in privacy innovation, but the critical players (innovators, investors, and privacy domain experts) aren’t connected enough to move things forward at the pace the market needs. We need to bridge these tech-capital-expertise gaps to fuel privacy innovation. Privacy is a critical component in designing and building technology to serve people. Privacy design and engineering are prerequisites for product excellence. Privacy innovation offers market opportunities to those who are able to recognize the value of privacy, beyond compliance. For example, Inc. named a privacy tech startup as the fastest growing company in America. The privacy tech landscape is still at its nascency, but its future is brimming with possibilities. We see a world where technology is designed and engineered with privacy in mind, to serve humans and respect their privacy. We see clear value in that.

Lourdes Turrecha, Michelle Dennedy, Melanie Ensign

How I hacked a bank using pen & paper


Per Thorsheim

Securing the 2020 Presidential Campaign: Threats, Challenges, and a Global Pandemic!

Common Ground

Elections security is important, but it’s not about the machines - it’s about the humans who work a campaign and their adversaries.

In 2016, we saw foreign intelligence operations target US Presidential campaigns and the US election process. Leading up to 2020, organizations involved in the campaign ecosystem had to change how they did business, addressing risks posed to systems and personnel, and changing how they use and protect information systems. Why? Cyber adversaries changed everything (and so did the pandemic).

Thousands of staffers had to adapt to a fully remote campaign from our bedrooms and couches - while also fundamentally reinventing how campaigns operate and keep themselves safe.

You’ve seen countless talks about hacking voting machines - this isn’t one of them. This panel is made up of people who worked on the 2020 Democratic campaigns, and we will tell you about the campaign, what we learned, and how we’re going to apply it in the future.

Mr. Timothy Ball, Alison Goh, Krishnan Aiyer, Matt Hodges, Will Rogers

JOINing Across the Stack: Structured Security Analytics for the modern attack surface

Breaking Ground

The security community has embraced osquery as a way to gather and normalize telemetry from endpoints. Now, new extensions can bring that SQL-driven approach to cloud infrastructure and container environments.

This session will cover the basics of the open-source osquery project and introduce cloudquery and kubequery, two open-source extensions to the osquery project that enable security teams to strengthen their cloud security posture. This session will also provide examples of detections and investigative workflows that join together telemetry from cloud-based hosts, container environments, and cloud infrastructure.

In this session, attendees will learn:
The basics of osquery, cloudquery, and kubequery—powerful open-source tools that normalize security telemetry from hosts, containers, and the cloud
How these open-source tools can help implement standards such as the CIS Benchmarks for AWS, Azure, and GCP
Examples of how blue teams and auditing teams can use these tools to identify risk and detect threats in and across cloud and container environments

Mr. Eric Kaiser

Your critical system IS (NOT?) vulnerable: CSAF, VEX, SBOM and the future of advisories

I Am The Cavalry

As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be “false positives,” when the underlying component vulnerability isn’t actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk.

The German and US governments deliberately choose partnering to coordinate industry-led initiatives to help automate the production, consumption, and scale of advisories, with particular attention to non-traditional software areas like ICS and healthcare. The Common Security Advisory Framework (CSAF) is an OASIS project that seeks to help automate creation, management, and use of machine-readable vulnerability-related advisories. This talk will further introduce a key idea at the intersection of advisories and SBOM: the “Vulnerability Exploitability eXchange” (VEX) that allows software providers to explicitly communicate that they are not affected by a vulnerability. We close with an overview of the policy context to help practitioners understand where the world of SBOM and advisories is heading.

Dr. Allan Friedman, Jens Wiesner

Knock knock. Who’s there? Betta! Betta who? Betta check your access control edge devices, cause I’m already in.

Breaking Ground

To achieve low latency and better performances, edge computing puts the endpoint devices back in charge, with many critical systems such as facial recognition cameras or medical optical inspectors now able to autonomously extract features and even make decisions.

This autonomy introduces new architectural assumptions: an implicit trust of the endpoint; an increased need for data exchange between all the edge devices; actuation on premises, often controlled directly by the endpoint device.

Are companies aware of these assumptions, when implementing edge computing, or are they simply strapping a new buzzword on top of old IoT hardware?

To answer this, we have analyzed four competing edge computing cameras, a class of devices that perfectly embodies a critical functionality such as user authentication, and we will show how bad assumptions can lead to attacks such as extraction of employee pictures or addition of unauthorized users, often exploiting re-emerging vulnerabilities derived from 20 year of bad practices.

The audience will learn that, while edge computing is being promoted, not much has been done to analyze the devices for their security fitness in this new architecture and that these are failures that could very easily be found in many other classes of edge devices.

Dr. Vincenzo Ciancaglini, Philippe Z Lin

Stupid Job Posts Don’t Matter!

Hire Ground

I’m mostly kidding, but not really.
I have taught managers for years how to write better descriptions and candidates how to write better resumes, and I will continue to do that. I even spoke at multiple conferences over the last few years for that purpose. But the key is to have a way of getting around and through bad descriptions, because I don’t think we can ever really fix that problem completely. In other words, even though those obstacles exist and likely always will, there are ways to get through it, and that is what I will be presenting.
This presentation isn’t going to offer a solution to making employers do a better job advertising for and determining the best fits for their openings. It will however tell you how to make it through bad descriptions, less than effective interviewers and maybe it will even help them see the light!
Looking for a job is an engineering problem. Gather the requirements, do some QA, launch and keep updating!

Kirsten Renner

Healthcare Industry Career Search Panel

Hire Ground

There are many career trajectories in infosec but rarely do we get a chance to take a deep dive into careers that combine information security and healthcare. We have invited two amazing healthcare information security professionals who will share their career paths, suggestions on getting into the industry and what to watch out for.

Kathleen Smith, Mike Murray, Suchi Pahi

Finance Industry Career Search Panel

Hire Ground

There are many career trajectories in infosec but rarely do we get a chance to take a deep dive into careers that combine information security and finance. We have invited two amazing healthcare information security professionals who will share their career paths, suggestions on getting into the industry and what to watch out for.

Kathleen Smith, Alyssa Miller, Peter Keenan, Bandon Wu, Mamani Older

Breaking The Giants With Logic

Proving Ground

Business logic vulnerabilities are probably the portal that added a major population to the security community worldwide. Throughout the years, many people who were practically amateur technology users came across devastating security issues without knowing that they just found the “Million Dollar Bug”. Through this talk, we aim to present some interesting logic-based security vulnerabilities in gigantic applications such as Facebook & Instagram. Those vulnerabilities needed absolutely no coding skills to discover and exploit. The presentation will cover case studies such as “How to become invisible and immune to blocking on Instagram?”, “How to create ghost users in Facebook Groups?” and “How to hack an email invitations system?”. Our aim is to raise the awareness of the community to the importance of digging for logical vulnerabilities that can present serious security threats and can be very hard to discover using automated scanners.

Mr. Ali Kabeel, Nick Rosario

Do You Understand the Words That Are Coming Out of My Mouth

Proving Ground

After your relentless work and effort to discover threats and vulnerabilities in your organization’s infrastructure, are you frustrated or confused by why upper management does not approve projects or seem clueless about the potential danger of an exploit? For years, there has been some type of communication barrier or disconnect between security professionals and stakeholders that hinders productivity and adoption of needed security measures. Discover how to effectively communicate in a nontechnical way that executives can comprehend and connect to their beloved business goals and objectives.

Mrs. Che’ Jackson, Anna Skelton

Securing and Trusting Third-Party Javascripts in Your Web App

Proving Ground

Third-party javascripts are ubiquitous. Product teams want third-party javascripts in their web pages for a wide range of use cases like Analytics, data validation etc.

Compromise of these third-parties means compromise of our webapps. Hence, security engineers need to ensure that these javascripts are thoroughly vetted and that proper defense in depth measures are in place. At the same time, the focus must also be on the risk of trusting these javascripts.

This talk focuses on how we handle third-party javascripts at Adobe, which is a three-fold approach:
Risks of including random third-party javascripts
Vetting these third-party javascripts
Defense in depth measures for third-party javascripts

Talk Outline:
Use cases for third-party javascripts and risk of third-party javascripts
Vetting third-party javascripts
Defense in Depth Measures for third-party javascripts
How Risk and Trust Matters

Audience Takeaways:
Key things to look at when securing third-party javascripts while focusing on risk and trust.

Krishna Chirumamilla, Gabriel Ryan

Pros v. Joes After-Action Report

Contests & Events