Disclosure 2020

Disclosure is an experimental security event that aims to bring together bleeding edge researchers and security professionals.

Keynotes  |  Security Track  |  Developer Track

Keynotes

Opening Keynote with the Grugq - Strategic Cyber Warfare

The Grugq, Information Security Researcher

Kick things off with Okta's Chief Security Officer, David Bradbury then hear from the Grugq, our opening keynote presenter.

This talk describes strategic cyber warfare, including great power conflicts from a strategic level that includes cyber, and cyber operations from within a prism that includes great power contest. Under this lens, individual cyber operations are less interesting, and are advancing towards strategic objectives. Cyber operations can now achieve results typically reserved for kinetic warfare.

Existing discussions of CyberWar are severely hampered by focusing on cyber battles at the tactical or operational level, rather than the strategic level of war. Strategic cyber warfare, aka persistent engagement, is based on principles that have been around for a long time (e.g. Fabian strategy), but only recently formalised as doctrine in the West. None of this is new, but the cyber dimension collapses information spheres, geolocation, and gatekeepered communities. The main impact of this is flattening the resource requirement differences between a state, a corporation and a person.

Small groups of people can take actions that are as effective or more effective than states.

 

Closing Keynote with Samy Kamkar, The Future of Exploitation

Samy Kamkar, Cofounder of Openpath Security

The world is a beautiful place. We are all fortunate to experience or observe curious physical phenomena; the sound of birds singing or the ultrasonic chirping of cryptographic functions, the glowing scattered light of an early sunrise or the electromagnetic emanations of a secret key unwrapping, a cool breeze of morning air or a gust of canned air increasing data remanence of passwords in memory. The math and physics found around us in nature, harnessed by humans, transmitted through silicon, extracted from sand, all to be wonderfully exploited by low cost technologies that we will explore together.

 

Security

Hardware Security: The Final Frontier?

Marc Rogers, VP of Cybersecurity Strategy, Okta

All eyes are focused on software,  July saw over 1000 vulnerabilities drop in just two weeks. Despite this there are only a few notable people looking at hardware security and whole categories of critical devices getting no scrutiny at all. I will demonstrate just how vulnerable this hardware is to attack and show some of the ramifications live.

 

Disinformation: Threat Intelligence and Creating a Distributed Response

Sara-Jayne “SJ” Terp, Founder, Bodacea Light Industries LLC

With companies providing disinformation as a service (DaaS) and the US election coming up in November, we need to prepare our disinformation defences now more than ever. This talk is about how we set up and ran a real-time disinformation threat intelligence team inside a larger information security response - The CTI-League. It includes tools, processes, data science support and how to keep the team sane whilst reading dangerous materials.

 

Hunting CVE-2020-5902

Nate Warfield, Managing vulnerabilities for the Microsoft Security Response Center

On June 30th, 2020 F5 Networks disclosed an extremely high severity (CVSS10.0) vulnerability in their Web GUI management interface, affecting nearly of their products. While most of the world was enjoying a weekend – and a holiday weekend for those in the United States – defenders were working hard to detect and respond. By Monday, widescale attacks had started and continue to this day. In this talk I’ll cover the work I & others did to identify at-risk devices, notify at-risk organizations and craft a much needed defense strategy. I’ll explain this vulnerability, it’s similarity to other attacks against network devices seen in 2020, and share IOCs and techniques seen in real-world attacks. Finally, I’ll address the vendor response, the challenges it posed for defenders and how it could have been improved.

 

I Choose You

Sherrod DeGrippo, Sr. Director of Threat Research and Detection, Proofpoint

If you could be anyone, who would you be and what malware would you unleash upon your victims? Discussions of what threat actors are using to make decisions, understanding their thought process, tools, what’s available and which threats go to which targets. We’ll explore interesting campaigns including the social engineering and malware payload combinations intended to get the best results.

 

Theory to Practice: Applying Academic Program Analysis Advances in the Real World

Yan Shoshitaishvili, Assistant professor at Arizona State University

The automated analysis of software to find and fix vulnerabilities has been a core interest in the Academic Cybersecurity community for decades. Techniques are proposed, evaluated, discussed, shown to be effective, and, almost always, immediately forgotten. Despite hundreds of such academic papers, security analysis is still a heavily manual process. One can’t help but wonder: why does the academically proven efficacy of automated tools rarely gain traction in the real world? I ran into this question head first as I tried to apply my own research techniques to the real world after my participation in the DARPA Cyber Grand Challenge, the first fully automated cybersecurity competition. In this talk, I will discuss the difficulties that arise in transitioning theoretical techniques to practice, talk about recent directions in the field aimed at assuaging these difficulties, and present a frank look at the current cutting edge in software analysis. Hopefully, knowing the hurdles that can be encountered will help with the future transition of academic advancements to the real world.

 

Cyber Threat Intelligence Demystified

Jason Rivera, Director, Strategic Threat Advisor Group at CrowdStrike

Today’s security professionals recognize that threat intelligence is a critical component in their cyber toolkit, enabling them to proactively respond and pre-empt advanced threats. Yet many of these same professionals are having a difficult time understanding the array of threat intelligence solutions and how to best utilize them within their organizations.

Join CrowdStrike’s Director of the Strategic Threat Advisors Group, Jason Rivera, to learn more about these challenges and highlights the importance of leveraging threat intelligence as a critical part of an effective cybersecurity strategy. He will share how to get the most value out of threat intelligence by effectively applying it across your organization — from security operations to executive leadership.

 

 

Developer

How Ops Work Made Me Better at AppSec

Breanne Boland, Application Security Engineer, Salesforce

Ops engineers and security engineers share a reputation for being curmudgeonly, but there are more things they share than demeanor. While the differences between roles are considerable, there are things from previous roles that made me better equipped to do a new and very different job. How does an ops person learn to embrace Javascript after years of defending Bash? What does being a Terraform guru bring to secure code reviews? And is it easier to see security sins in Python scripts after years of writing quick-and-dirty networking tools? You’ll learn what an ops engineer can bring to your appsec team and how a background in site reliability and infrastructure might give you a leg up in appsec work.

 

How to Think About OAuth Security

Aaron Parecki, Senior Security Architect, Okta

In this talk, Aaron Parecki, a contributor to the OAuth specifications, provides a summary of the recent updates to the OAuth 2.0 Security Best Current Practice spec, and sheds some light on the vulnerabilities and weaknesses that led to some of the changes. You'll learn how to look for potential flaws and what it takes to build a secure OAuth implementation.

 

Open Source Anti-Reconnaissance

Vickie Li, Web Security Researcher

Gathering intelligence about a target is the first step an attacker takes to attack an application. One key piece of information an attacker looks for is development information. What technology is the application built with? What security issues does the development team struggle with? What does the input validation code look like? Are there any outdated dependencies that might pave the way to a successful attack? Attackers collect information about an application’s development process, technology, and dependencies to strategize how to best attack an application. Open source reconnaissance is an increasingly popular method of reconnaissance. Compared to traditional web reconnaissance techniques like host enumeration and active fingerprinting, open-source intelligence is stealthy and almost impossible to detect. In this breakout session, we'll dive deep into how attackers conduct open-source reconnaissance and how to prevent open-source recon from compromising the security of your application.

 

Introduction to Public Key Cryptography

Kelley Robinson, Account Security, Twilio

From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2020 security should be part of every engineer’s toolkit and cryptography is a foundation we can master together. This talk will dive into modern cryptography, the math behind how it works, and its everyday use cases. You’ll leave understanding the difference between symmetric and asymmetric cryptography, why you would have a public and private key, and how those get used in a variety of applications. We’ll look at how to encrypt and decrypt data in code and discuss the reasons you should never roll your own crypto. This will not be a talk about bitcoin, but will dive into how cryptography helps secure anonymous transactions and keeps your identity and data safe.

 

Lazy, Stupid and Unconcerned - Why You Are the Perfect Target

Rich Jones, Cofounder of Gun.io

In this fast-paced and wide-ranging talk, I'll show you some fun and practical attacks against application developers and system administrators that can allow for even greater access to treasured goodies than through flaws in applications themselves.

 

Blasting Browser Security with Extensions

Micah Silverman, Senior Security H@X0R, Okta

Multi-platform browser extensions are easier to write than ever, can have great authority to examine and alter HTTP requests and responses, and are shockingly easy to get listed on the official respective browser stores.

In this talk, Micah gives an overview of how browser extensions work and the web-ext tool for creating extensions that work in both Google Chrome and Mozilla Firefox. He then shows how to debug and test extensions locally as well as how to package them up for distribution. The talk culminates with a real-time attempt to get an extension with an over-powered list of permissions listed on the Chrome Web Store and the Firefox Browser Add-ons Store.