Skip to main content

Conference Talks

Included on this page is a list of some of the talks that I have delivered at various hacking and/or information security conferences (specifically the ones that have decent recordings).  


OT Security – Assessment Methodologies for Securing the Things that do the Things

Delivery

Talk presented at HOU.SEC.CON 2021

Description

When Information Security professionals attempt to cross-apply their skills to OT (Operational Technology), they often find an environment that, compared to IT infrastructure, is considered beyond reproach.  We are often told — “do not patch”, “do not scan”, “do not attempt to harden”, “do not even look at these systems or PEOPLE WILL DIE”. While these risks can be sensationalized, the mishandling of OT infrastructure can indeed result in operational downtime, safety issues, and the potential for loss of life. Drawing from years of OT security experience, the speaker will discuss risk-conscious, white-glove approaches that can be used to effectively assess and secure OT environments, without disrupting critical operations and most importantly, without killing anyone.

Recording


Car-hacking: Cyber Criminals on Wheels

Delivery

Talk presented at AASA (Automotive Aftermarket Suppliers Association) Technology Conference in 2021

Description

Now that vehicles have more and more components (both manufacturer and after-market) that connect to the public Internet over cellular networks (such as entertainment systems, networked-climate controls, smart-phone keys, etc.), it is now possible for insecurely designed systems to be exploited in such a way that would allow an attacker to pivot through those components and remotely manipulate the critical operations of a vehicle -- via access to the Control Area Network (CAN).  This talk will break down the technical details of how such attacks are possible, draw attention to some historical examples of when such attacks have been achieved, explain basic principles that can be implemented into parts manufacturing (such as threat modeling and isolation) to minimize the risk of those components becoming pivot points for remote compromise of vehicles, and finally address potential financial consequences of failing to implement secure-by-design principles (lawsuits, recalls, regulatory fines, etc.).

Recording


“Alexa, Have You Been Compromised?” – Exploitation of Voice Assistants in Healthcare (And Other Business Contexts)

Delivery

Talk presented at DEF CON 29 IoT Hacking Village (2021)

Description

As voice assistant technologies (such as Amazon Alexa and Google Assistant) become increasingly sophisticated, we are beginning to see adoption of these technologies in the workplace. Whether supporting conference room communications, or even supporting interactions between an organization and its customers — these technologies are becoming increasingly integrated into the ways that we do business. While implementations of these solutions can streamline operations, they are not always without risk. During this talk, the speaker will discuss lessons learned during a recent penetration test of a large-scale “Alexa for Business” implementation in a hospital environment where voice assistants were implemented to assist with patient interactions during the peak of the COVID-19 pandemic. The speaker will provide a live demonstration of how a cyber-criminal could potentially use pre-staged AWS Lambda functions to compromise an “Alexa for Business” device with less than one-minute of physical access. Multiple attack scenarios will be discussed to include making Alexa verbally abuse her users (resulting in possible reputation damage), remote eavesdropping on user interactions, and even active “vishing” (voice phishing) attacks to obtain sensitive information. Finally, the talk will conclude with a discussion of best-practice hardening measures that can be taken to prevent your “Alexa for Business” devices from being transformed into foul-mouthed miscreants with malicious intent.

Recording


YIPPEE-KI-YAY MFA’ER – Bypassing Multi-Factor Authentication with Real-Time Replay Session Instantiation Attacks

Delivery

Talk presented at DEF CON 28 Red Team Village (2020)

Description

In the not-too-distance past, it was fairly easy for red-teamers to conquer almost any environment with a combination of password sprays, or by leveraging social engineering to lure victims to fake login sites and harvest their credentials. But in the current landscape, there are new road-blocks to contend with. Nearly every company and organization has now deployed some form of Multi-Factor Authentication (MFA) on their perimeter services. Fortunately, for red-teamers, the vast majority of implementations of MFA across the Internet (email-based, SMS, OTP, and push requests) all share a common critical flaw that can still be easily circumvented using a modern revision of the classic “credential harvesting” attacks. This talk will offer a comprehensive methodology for how a red team can effectively bypass nearly any MFA service using Python-Flask and browser emulation libraries (Mechanize or Selenium) to replay MFA credentials in real-time, establish legitimate user sessions, and then harvest the session tokens to assume access to those compromised sessions. This methodology will prove once again, that the advantage is still square in the hands of the red team, and that even now…ALL YOUR BASE ARE BELONG TO US!!!

Recording


Warfare on the Social Web

Delivery

Talk presented at HOU.SEC.CON in 2019

Description

Social media has become so prevalent in our lives that, with the right level of access, it is now possible to determine nearly everything about someone. With all of this information now circulating across the web, there are also constant and deliberate efforts by bad actors (rogues, miscreants, and general ne'er-do-wellers) to aggregate and exploit this information. In this talk, Hutch will demonstrate how many of the largest social networks can be used for highly exploitative purposes to include methods for identifying and targeting personnel of specific companies or government agencies, aggregating technology stack profiles of target organizations for APT-style attacks, cat-phishing to coerce action t ough enticement and/or blackmail, malware distribution, command & control operations, application access creep, and (of course) “fake news” dissemination. This is a technical talk and will include demonstrations of specific proof-of-concepts (with supporting code) related to social media exploitation, but will also appeal to the non-technical audience through a high-level examination of the political, social and business considerations related to social media cyber risks.

Recording

Comments

Popular posts from this blog

Building Bots with Mechanize and Selenium

The Sociosploit team conducts much of its research into the exploitation of social media using custom built bots. On occasion, the team will use public APIs (Application Programming Interfaces), but more often than not, these do not provide the same level of exploitative capabilities that could be achieved through browser automation. So to achieve this end, the Sociosploit team primarily uses a combination of two different Python libraries for building web bots for research. Each of the libraries have their own advantages and disadvantages. These libraries include: Mechanize Pros: Very lightweight, portable, and requires minimal resources Easy to initially configure and install Cuts down on superfluous requests (due to absense of JavaScript) Cons: Does not handle JavaScript or client-side functionality Troubleshooting is done exclusively in text Selenium Pros: Operations are executed in browser, making JavaScript rendering and manipulation easy Visibility of browse

Bypassing CAPTCHA with Visually-Impaired Robots

As many of you have probably noticed, we rely heavily on bot automation for a lot of the testing that we do at Sociosploit.  And occasionally, we run into sites that leverage CAPTCHA ("Completely Automated Public Turing Test To Tell Computers and Humans Apart") controls to prevent bot automation.   Even if you aren't familiar with the name, you've likely encountered these before. While there are some other vendors who develop CAPTCHAs, Google is currently the leader in CAPTCHA technology.  They currently support 2 products (reCAPTCHA v2 and v3).  As v3 natively only functions as a detective control, I focused my efforts more on identifying ways to possibly bypass reCAPTCHA v2 (which functions more as a preventative control). How reCAPTCHA v2 Works reCAPTCHA v2 starts with a simple checkbox, and evaluates the behavior of the user when clicking it.  While I haven't dissected the underlying operations, I assume this part of the test likely makes determination

Bootstrap Fail - Persistent XSS via Opportunistic Domain Sniping

This is the story of how a failed Bootstrap implementation on a website allowed me to gain JavaScript code execution into thousands of user browsers. How I Found It? Before I get into the story, I'll quickly explain how I found this vulnerability in the first place.  I have started developing a new opportunistic approach for acquiring persistent XSS (Cross Site Scripting) on various web-services across the Internet.  This methodology consists of the following steps: Use custom web-crawler to spider web services across the Internet and scrape source code. It iterates through IP addresses and hits the web-root content for every IP address. It then identifies websites that are using externally hosted JavaScript. This is achieved for each server by… Reviewing the HTML source code for <script> tags with a source (src) value containing a full web-address (rather than a local path). An example would be <script type='text/javascript' src='https://domain.name/path/to/ho