Included on this page is a list of some of the talks that I have delivered at various hacking and/or information security conferences (specifically the ones that have decent recordings).
Cat-phish Automation – The Emerging Use of Artificial Intelligence in Social Engineering
Delivery
Talk presented at RSA Conference 2023
Talk presented at RSA Conference 2023
Description
Infestations of malicious bots on Internet platforms is nothing new, but the sophistication of these bots has transformed dramatically in recent years and is continuing to evolve. This presentation will explore how the use of advanced artificial intelligence is being incorporated into fraudulent scams and phishing attacks, and what this means for the threat landscape of the future.
Recording
OT Security – Assessment Methodologies for Securing the Things that do the Things
Delivery
Talk presented at HOU.SEC.CON 2021
Talk presented at HOU.SEC.CON 2021
Description
When Information Security professionals attempt to cross-apply their skills to OT (Operational Technology), they often find an environment that, compared to IT infrastructure, is considered beyond reproach. We are often told — “do not patch”, “do not scan”, “do not attempt to harden”, “do not even look at these systems or PEOPLE WILL DIE”. While these risks can be sensationalized, the mishandling of OT infrastructure can indeed result in operational downtime, safety issues, and the potential for loss of life. Drawing from years of OT security experience, the speaker will discuss risk-conscious, white-glove approaches that can be used to effectively assess and secure OT environments, without disrupting critical operations and most importantly, without killing anyone.
When Information Security professionals attempt to cross-apply their skills to OT (Operational Technology), they often find an environment that, compared to IT infrastructure, is considered beyond reproach. We are often told — “do not patch”, “do not scan”, “do not attempt to harden”, “do not even look at these systems or PEOPLE WILL DIE”. While these risks can be sensationalized, the mishandling of OT infrastructure can indeed result in operational downtime, safety issues, and the potential for loss of life. Drawing from years of OT security experience, the speaker will discuss risk-conscious, white-glove approaches that can be used to effectively assess and secure OT environments, without disrupting critical operations and most importantly, without killing anyone.
Recording
Car-hacking: Cyber Criminals on Wheels
Delivery
Talk presented at AASA (Automotive Aftermarket Suppliers Association) Technology Conference in 2021
Talk presented at AASA (Automotive Aftermarket Suppliers Association) Technology Conference in 2021
Description
Now that vehicles have more and more components (both manufacturer and after-market) that connect to the public Internet over cellular networks (such as entertainment systems, networked-climate controls, smart-phone keys, etc.), it is now possible for insecurely designed systems to be exploited in such a way that would allow an attacker to pivot through those components and remotely manipulate the critical operations of a vehicle -- via access to the Control Area Network (CAN). This talk will break down the technical details of how such attacks are possible, draw attention to some historical examples of when such attacks have been achieved, explain basic principles that can be implemented into parts manufacturing (such as threat modeling and isolation) to minimize the risk of those components becoming pivot points for remote compromise of vehicles, and finally address potential financial consequences of failing to implement secure-by-design principles (lawsuits, recalls, regulatory fines, etc.).
Recording
“Alexa, Have You Been Compromised?” – Exploitation of Voice Assistants in Healthcare (And Other Business Contexts)
Delivery
Talk presented at DEF CON 29 IoT Hacking Village (2021)
Description
As voice assistant technologies (such as Amazon Alexa and Google Assistant) become increasingly sophisticated, we are beginning to see adoption of these technologies in the workplace. Whether supporting conference room communications, or even supporting interactions between an organization and its customers — these technologies are becoming increasingly integrated into the ways that we do business. While implementations of these solutions can streamline operations, they are not always without risk. During this talk, the speaker will discuss lessons learned during a recent penetration test of a large-scale “Alexa for Business” implementation in a hospital environment where voice assistants were implemented to assist with patient interactions during the peak of the COVID-19 pandemic. The speaker will provide a live demonstration of how a cyber-criminal could potentially use pre-staged AWS Lambda functions to compromise an “Alexa for Business” device with less than one-minute of physical access. Multiple attack scenarios will be discussed to include making Alexa verbally abuse her users (resulting in possible reputation damage), remote eavesdropping on user interactions, and even active “vishing” (voice phishing) attacks to obtain sensitive information. Finally, the talk will conclude with a discussion of best-practice hardening measures that can be taken to prevent your “Alexa for Business” devices from being transformed into foul-mouthed miscreants with malicious intent.
Recording
YIPPEE-KI-YAY MFA’ER – Bypassing Multi-Factor Authentication with Real-Time Replay Session Instantiation Attacks
Delivery
Talk presented at DEF CON 28 Red Team Village (2020)
Description
In the not-too-distance past, it was fairly easy for red-teamers to conquer almost any environment with a combination of password sprays, or by leveraging social engineering to lure victims to fake login sites and harvest their credentials. But in the current landscape, there are new road-blocks to contend with. Nearly every company and organization has now deployed some form of Multi-Factor Authentication (MFA) on their perimeter services. Fortunately, for red-teamers, the vast majority of implementations of MFA across the Internet (email-based, SMS, OTP, and push requests) all share a common critical flaw that can still be easily circumvented using a modern revision of the classic “credential harvesting” attacks. This talk will offer a comprehensive methodology for how a red team can effectively bypass nearly any MFA service using Python-Flask and browser emulation libraries (Mechanize or Selenium) to replay MFA credentials in real-time, establish legitimate user sessions, and then harvest the session tokens to assume access to those compromised sessions. This methodology will prove once again, that the advantage is still square in the hands of the red team, and that even now…ALL YOUR BASE ARE BELONG TO US!!!
Recording
Warfare on the Social Web
Delivery
Talk presented at HOU.SEC.CON in 2019
Description
Social media has become so prevalent in our lives that, with the right level of access, it is now possible to determine nearly everything about someone. With all of this information now circulating across the web, there are also constant and deliberate efforts by bad actors (rogues, miscreants, and general ne'er-do-wellers) to aggregate and exploit this information. In this talk, Hutch will demonstrate how many of the largest social networks can be used for highly exploitative purposes to include methods for identifying and targeting personnel of specific companies or government agencies, aggregating technology stack profiles of target organizations for APT-style attacks, cat-phishing to coerce action t
ough enticement and/or blackmail, malware distribution, command & control operations, application access creep, and (of course) “fake news” dissemination. This is a technical talk and will include demonstrations of specific proof-of-concepts (with supporting code) related to social media exploitation, but will also appeal to the non-technical audience through a high-level examination of the political, social and business considerations related to social media cyber risks.
Comments
Post a Comment