Quantifying Risk in Consumer Software at Scale — Consumer Reports’ Digital Standard
Last year Mudge and Sarah pulled back the curtains on the non-profit Cyber Independent Testing Laboratory: An organization designed to…Подробнее
black hat
The Origin of Array [@@species]: How Standards Drive Bugs in Script Engines
Web standards are ever-evolving and determine what browsers can do. But new features can also lead to new vulnerabilities as…Подробнее
Delivering Javascript to World+Dog
You’ve joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your…Подробнее
Taking Over the World Through MQTT — Aftermath
We have created our own small tool for testing endpoints, and we have discovered that many times, protocol data is…Подробнее
The Active Directory Botnet
Botnets and C&C servers are taking over the internet and are a major threat to all of us … but…Подробнее
The Legal Landscape for a Cybersecurity Professional Seeking to Safeguard Sensitive Client Data
In this talk, we will examine the legal landscape for cybersecurity professionals seeking to safeguard a clients’ sensitive client data.…Подробнее
Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks
In this work we analyzed two recent trends. The first trend is the growing threat of firmware attacks which include…Подробнее
So You Want to Market Your Security Product…
In this talk, we will discuss the Federal Trade Commission’s (FTC) longstanding authority to protect consumers from unfair and deceptive…Подробнее
The Avalanche Takedown: Landslide for Law Enforcement
It was a highly secure infrastructure of servers that allegedly offered cyber criminals an unfettered platform from which to conduct…Подробнее
All Your SMS & Contacts Belong to ADUPS & Others
Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their…Подробнее
New Adventures in Spying 3G and 4G Users: Locate Track & Monitor
The 3G and 4G devices deployed worldwide are vulnerable to IMSI catcher aka Stingray devices. The next generation 5G network…Подробнее
When IoT Attacks: Understanding the Safety Risks Associated with Connected Devices
The Internet of Things (IoT) is all around us, making our lives more convenient. We’ve seen IoT devices being taken…Подробнее
Real Humans Simulated Attacks: Usability Testing with Attack Scenarios
User studies are critical to understanding how users perceive and interact with security and privacy software and features. While it…Подробнее
Protecting Pentests: Recommendations for Performing More Secure Tests
Wesley presents a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical…Подробнее
They’re Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention
Several popular attack tools and techniques remain effective in the real world, even though they are well understood and documented.…Подробнее
Comparing Security Curricula and Accreditations to Industry Needs
This talk will take a look at how security curricula have traditionally been developed and continued to be shaped by…Подробнее
WSUSpendu: How to Hang WSUS Clients
We will present a new approach, allowing you to circumvent limitations and control the targeted network from the very WSUS…Подробнее
Automated Testing of Crypto Software Using Differential Fuzzing
We present a new and efficient approach to systematic testing of cryptographic software: differential fuzzing. Unlike general purpose software fuzzing…Подробнее
The Art of Securing 100 Products
his presentation introduces solid approaches to cope with these challenges by scaling out the application security team’s capabilities, putting the…Подробнее
Taking DMA Attacks to the Next Level
In our talk, we will present a novel, physical, DMA attack that is undetectable, doesn’t require a particular port and…Подробнее
FlowFuzz — A Framework for Fuzzing OpenFlow-Enabled Software and Hardware Switches
In this work, we present FlowFuzz a fuzzing framework for SDN-enabled software and hardware switches. In particular we focus on…Подробнее
How to Make Nation-State and Intelligence Attackers’ Lives Much Harder on Mobile Networks
In this talk, we will discuss the current status, possible solutions, and outline advanced SS7 attacks and defenses using open-source…Подробнее
Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server
Creating a custom command and control (C&C) server for someone else’s malware has a myriad of benefits. If you can…Подробнее
Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid
The cyber attack on Ukraine’s power grid on December 17th, 2016 was the second time in history a power grid…Подробнее
Fighting the Previous War (aka: Attacking and Defending in the Era of the Cloud)
While we have seen point attacks on cloud vendors there hasn’t been enough attention paid to the interdependence of these…Подробнее
Exploiting a Single SQLite Vulnerability Across Multiple Software
SQLite is widely used as embedded database software for local/client storage in application software, such as web browsers and mobile…Подробнее
Go Nuclear: Breaking Radiation Monitoring Devices
The purpose of this talk is to provide a comprehensive description of the technical details and approach used to discover…Подробнее
Splunking Dark Tools — A Pentesters Guide to Pwnage Visualization
A rise in data analytics and machine learning has left the typical pentesters behind in the dust. This talk covers…Подробнее
Protecting Visual Assets: Digital Image Counter-Forensics
Our talk will discuss various counter-forensic measures against both existent and emergent threats targeting image-centric intelligence gathering which adversaries may…Подробнее
Evilsploit — A Universal Hardware Hacking Toolkit
We will present a new method to allow provisioning port identification and manipulation by using connection matrix. With this, it…Подробнее