Wild West Hackin' Fest - Deadwood 2024

JWTs are an incredibly flexible tool that make life easier for developers because they are standardized, widely supported, and include important security features by default. However, like any powerful tool, JWTs can be dangerous when used incorrectly, or for unintended purposes. In this talk, I aim to shine a light on common JWT misuse and abuse. I'll start by briefly describing JWTs and common use cases for them. I'll then present real world scenarios of misuse and abuse from applications that I've tested as a consultant, and written as an engineer. As I present each scenario, I'll demonstrate the various features and failures live, and discuss how the specific implementation of JWTs can be hardened. The end result will be an enlightening and entertaining presentation of information and experience that will provide the viewer with a practical knowledge of how, and how not, to use JWTs.

In society, evolving artificial intelligence leverages cutting-edge technology to create synthetic text, audio, and video clips at a concerning rate. These emerging innovations pose significant threats to organizations' cybersecurity protocols and defenses. This presentation examines the multifaceted nature of deepfakes, offering insights into their creation and detection, what organizations need to do to educate their users, and the technology available to protect against these latest strains of social engineering attacks.

Endpoint Detection and Response (EDR) agents typically comprise multiple sensory components that collect information from various telemetry sources the operating system provides. Many public blogs and conference talks have covered Windows telemetry sources, such as kernel callbacks and ETW, but only some mention macOS and Linux equivalents.

Developers using macOS often have privileged cloud accounts or access to intellectual property such as source code. Linux servers may host customer-facing interfaces or applications that access sensitive databases. Defenders must have confidence in their tools for these systems, and attackers must understand how to evade them.

This talk will detail telemetry sources available to EDR on macOS and Linux and compare them to Windows equivalents. The sources commonly used to monitor process creation, shared library loading, networking, and file activity will be described based on the presenter's observations while reverse engineering popular EDR agents.

Ever wondered how a red team targets DevOps automation and CI/CD environments? Join us as we provide unique insight into a real-world attack path that ended in a complete compromise of an organizations cloud resources and third-party platforms. In this presentation, we will uncover some red team tradecraft that highlights the difficulty of securing build servers, deployment processes, and source-code repositories. We will look at what was done right, what was done wrong, and how understanding your target environment can lead to bringing down the house of cards without ever stepping onto the internal network. This is a high-paced technical talk that includes initial access, lateral movement, privilege escalation, evasion, and persistence of a CI/CD deployment in the cloud.

This presentation focuses on the offensive tools that defenders should running, to identify high-impact security issues on their network. Explore the proactive advantages of offensive security tools that can be quickly and easily be run by defenders to better protect and defend their network. Attendees will learn how offensive security tools enable defenders to stay ahead of potential adversaries, enhancing network resilience and safeguarding against breaches effectively.

Lurking means to wait or move in a secret way so that you cannot be seen. On a red team or assumed breach operation, our success hinges on how our implants communicate with us. The way these communications happen - how fast, how often, and how much data is exchanged - is key to realistically mimicking cyber attackers. In this talk, I'll break down the essentials of choosing a Command and Control (C2) channel and share some clever tactics and commonly used services that help us stay under the radar and gain the upper hand in our target's environment. Get ready for a behind-the-scenes look at the stealthy side of cybersecurity.

Meterpreter session 1 opened! ... "Wait, you're using Metasploit? Pfft, why didn't you write your own custom implant-loader-beacon-shellcode-dropper-payload, you n00b!?! Skill issue, RTFM and git gud." Ah, to tool or not to tool, that is... a question. Whether you're rocking some l33t Arch Linux RICE to write your own custom kernel and C2 framework, or you're hacking with someone else's PowerShell script: join John Hammond for a slap in the face presentation on why your righteous tooling doesn't matter. We'll dig into the good, the bad, and the ugly -- vim or nano? Python or Rust? Who cares... but let's ask why it is up for debate in the first place. Filled to the brim with imposter syndrome, breaking down the gates from gatekeepers, this session is a comedy farce that you've got to `git checkout`. Ya stinkin' script kiddie.

It doesn’t matter how advanced your shellcode loader is, if you don’t protect your shellcode from prying AV & EDR sensors, you’re going to have a bad time. From simple encryption schemes like the Caesar cipher to more complex schemes like AES, reversing arrays, steganography, encoding shellcode as other data types, and other techniques, this talk will cover a variety of ways to hide shellcode in your loader. I’ll demonstrate how these techniques score against many engines using VirusTotal. In some cases, AV engines will detect the decoding routine. I’ll also discuss techniques you can use to break this detection. I will also be sharing a repository demonstrating the different evasion techniques discussed in this talk. Note – this talk will not cover behavioral evasion techniques like unhooking, direct and indirect syscalls, or other evasion techniques. Whether you’re new to obfuscating shellcode or an experienced pro, there’s something in this talk for you!

In my first career, I spent 35 years at the National Security Agency as a Vulnerability Analyst for the defense, from junior analyst to executive manager. I also had the honor of helping found and lead two of the Nation’s largest organizations dedicated to this mission – the Systems and Network Attack Center, and the Vulnerability Analysis and Operational Group. At NSA, Vulnerability Analysis for defense was a “full spectrum” activity, designed to emulate the resources of a nation-state adversary and their ability to operate at scale. In this talk, I’ll offer a historical and personal perspective how this field of analysis evolved from a focus on mathematics and cryptography, through systems and software, and then to “live” operational systems. And what’s it like to spend a career as a cyberdefender for the DoD and the nation, but homed inside of an intelligence agency? We’ll discuss the mission, technical, and cultural interplay of cyberdefense and offense/intelligence as it played out at NSA. War stories, culture clashes, bureaucratic mazes? Of course! But in the end, better security for all.

In this talk, we'll present Risk AIssessment - a risk assessment framework for AI-enabled applications. With the rush to embed generative AI in everything but your toaster (oh, it's in that now too?) there are a lack of usable assessment frameworks for organizations that are deploying these AI-enabled applications. The NIST AI RMF is fantastic if you're building AI foundation models or consumer services, but it's ill-suited and overly complex for organizations just adopting an application that has generative AI features. In this talk, we'll introduce the framework and show how organizations can utilize it to evaluate their risk to decide whether to adopt an application, prioritize compensating controls, or select between competing applications. Finally, we'll share case studies from using Risk AIssessment in numerous consulting engagements and show how it can be used in your organization to highlight risks.

You often hear the term, it only takes an adversary one main find to compromise an entire organization. The odds don't seem to be in our favor when it comes to defense. This talk will dive into effective methods to flip the odds into your own favor and things you can do quickly that doesn't take a three year strategic roadmap for. We'll be getting into some techniques you can leverage in deception and detection as well as methods that I've seen stop our red teams in the past. If I were a betting man, my bet is on defense.

Abusing API Security will discuss how to look at API security in a different way through multiple API attack techniques with a particular focus on GraphQL and gRPC.

Interacting with vulnerabilities is a core security practice. For a pentester, vulnerabilities should form a map to making risk actual, but our tools in this space often get in our way. Sirius Scan is a tactical vulnerability scanner. One dedicated to you, the operator.

In this talk, we will fluidly interact with and exploit network vulnerabilities by leveraging several open-source tools and tying their interactions with vulnerability intelligence.