Talks 2025
The following talks will be offered on Saturday:
Date: Saturday March 22, 2025
| Presenter | Title | Description | Time |
|---|---|---|---|
| Velizar Demirev | Forensics after an object storage breach: Investigating Cloud Storage Misconfigurations and Ransomware Attacks | Cloud storage is the backbone of modern businesses, but its convenience comes with risks. Misconfiguration and ransomware attacks on services like S3, EBS, EFS, FSx, Azure Blobs, and GCP Buckets are becoming alarmingly common, leaving organizations scrambling to respond. This session will equip attendees with the tools and strategies to investigate these breaches effectively. Learn how to identify the root cause, analyze access logs, assess the impact, and document findings—plus learn about building a recovery and prevention plan. | 50 min |
| Mark El-Khoury | CRXaminer - Deep dive into Chrome extensions (+tool) | You spend your time configuring HTTP headers and hardening your containers, meanwhile your CFO just downloaded a Chrome extension to make the font in Gmail larger. What are Chrome extensions, exactly? We’ll dive into details, including: format, contents, static analysis with custom rules, threat modeling (when does this even matter?), and in general what to look for. We’ll cover some historical malicious extensions and how they worked (incl. on red teams). We’ll then demo a tool I’ve just released for this: CRXaminer (https://crxaminer.tech, WIP) and how you can immediately start using it. We’ll finally do some data analysis on statistics we’ve uncovered by using this tool at scale on many extensions, and uncover general trends and findings. | 25 min |
| Sarah Hayes | Beyond Health Tracking Exploring the Forensic Potential of Oura Ring Data | Ever wonder what personal health devices, like the Oura Ring, might reveal in an investigation? Join Sarah Hayes of Hexordia as she dives into the fascinating world of wearable forensics, with a focus on the Oura Ring. Discover how devices designed to track sleep, heart rate, and activity can hold critical clues, from reconstructing timelines to corroborating events. Learn about the tools and techniques used to extract and analyze data, and explore the potential of wearables as key pieces of evidence in modern investigations. | 25 min |
| Tyler Hudak | Forensic Analysis of Microsoft Quick Assist | Attackers are utilizing Microsoft Quick Assist to obtain an initial foothold on systems, so it is imperative for cyber security analysts to understand it. This talk will discuss Quick Assist, how it is used by attackers, and what Quick Assist artifacts exist on a compromised system that can be used to aid an investigation, and how organizations can protect themselves from malicious usage of Quick Assist. | 50 min |
| Sean Juroviesky | The Risky Business of Risk Illiteracy | Many cybersecurity professionals tune into the latest and greatest CVSS’, zero day, or whichever vulnerability is catching the most headlines. Missing the smallest gaps in their own infrastructure which are typically the ones most often exploited by malicious actors. This is why each cybersecurity team needs to build an in depth understanding of their business model, infrastructure, and business operations in order to tune their threat model onto how a malicious actor would attack and exploit their particular business. | 50 min |
| Devon Kerr | Peace, prosperity, and espionage: ASEAN and BRICS targeted by the People’s Republic of China | In this presentation, attendees of all experience levels will receive an overview from Elastic Security Labs that describes long-running PRC espionage operations impacting members of the ASEAN and BRICS political and economic organizations. This presentation will describe conventional and novel threat capabilities, as well as the major motivating factors behind these campaigns. | 50 min |
| Kartik Khurana | Bridging the Gap Between GRC and Cybersecurity: Strategies for Effective Collaboration | Governance, Risk, and Compliance (GRC) teams often operate in silos, disconnected from the hands-on efforts of cybersecurity teams such as red and blue teams. This disconnect can lead to misaligned priorities, overlooked risks, and inefficiencies in responding to threats. In this presentation, we’ll explore strategies to bridge the gap between GRC and cybersecurity teams, emphasizing the importance of collaboration in building a unified, risk-aware culture. Attendees will learn actionable techniques to align compliance frameworks with security operations, foster communication between teams, and leverage shared tools and data for better outcomes. This talk will empower both GRC and cybersecurity professionals to break down silos and work together effectively. | 25 min |
| Dennis Labossiere | Investigating a Malicious Script in Microsoft Intune: A DFIR Case Study | The proliferation of cloud-based solutions has significantly transformed the landscape of enterprise security, with Microsoft Intune emerging as a pivotal tool for device and application management. This Digital Forensics and Incident Response (DFIR) case study delves into the forensic investigation of a malicious script within Microsoft Intune, highlighting procedural insights and analytical techniques. The incident, which occurred in 2023, involved unauthorized access to a client’s Azure tenant by Scattered Spider. This presentation discusses the forensic analysis conducted to recreate the attack and understand its impact. This presentation describes baseline configurations, forensic tools, and methodologies deployed to detect and analyze the attack. Key technical aspects discussed include leveraging the Graph API, tracking user actions, modification timestamps, and decoding PowerShell script contents with CyberChef. | 50 min |
| Zach Malinich | Discord OSINT: Using the Power of Empathy Banana | OSINT in Discord may seem limited, but with techniques like chat history searches and profile reviews, you can uncover linked accounts. By analyzing the servers a user joins, you can infer their experience, interests, and even location. However, scaling this approach is challenging until Spy.pet was disclosed in April. I will go over its capabilities, insights on Discord OSINT at scale, and OPSEC. | 50 min |
| Danielle McGuire | Securing the EVSEcosystem | As electric vehicles become more and more common, so does Electric Vehicle Supply Equipment, or EV chargers. These devices exist in a complex ecosystem almost completely independent of the traditional electric grid, leaving their security the responsibility of the individual owners/operators. In this presentation, we will examine how EVSE is vulnerable at both the endpoint and network level, often through well-understood vectors such as stack-based buffer overflows and man-in-the-middle attacks. We will also discuss CVE opportunities for ambitious students and researchers, and steps that asset owners can take to secure their equipment and networks. Finally, we will examine evsetool, a Python utility developed by the author to send, intercept and decode OCPP 1.6 traffic, in order to enable attacks such as unauthorized charge session access and malicious firmware update. | 50 min |
| Michael Nee | OT Security is Hard: Why can’t I do an arp scan? | OT is the xray machine at the doctors office. OT is the conveyor belt that makes your dogs medicine. OT is the windows xp box tucked somewhere in a nuclear power generator. OT is operational technology, technology that interacts with the real world and supports us in every facet of our life. OT has historically not placed much stake in cybersecurity, but that all changed following stuxnet. I will provide information on the evolution of cybersecurity in OT environments and the challenges faced by OT cybersecurity professionals. We’ll start at step 1 of security: asset management. | 25 min |
| Saurabh Singh | A Bug Hunter’s Way of Assessing Web Application Security | This session will delve into the methodology employed by bug hunters and penetration testers to assess the security of web applications. By focusing on practical techniques and overview of tools, the talk will empower attendees with actionable knowledge to find vulnerabilities and enhance the overall security of their applications. The session will focus what could be achived by using such tools while doing assessments to find security issues and automate tasks. This session will also focuses on understanding multiple types vulnerabilities from OWASP, SANS and Business logic flaws. | 50 min |
| Ethan Witherington | DevSecOps isn’t real, it can’t hurt you, and other lies: Lessons learned from letting engineers approve their own pull requests | DevOps? DevSecOps? We might as well call it DevSecMarketingHvacJanitorialOps - because the term ‘DevSecOps’ misses that DevOps already encompasses security, along with all other business concerns. It is a unifying theory of the way we work, including the way we secure our work, more effectively. Ethan Witherington has spent years studying the history and underlying principles of DevSecOps, and has come to a controversial conclusion - Engineers should be able to self-approve PRs to prod (and there are 35 prods) (and each prod is an F500’s SOC). This talk will start with historical context, dive into the theory of constraints, and explore all the reasons why such a safety-for-speed tradeoff is worthwhile (along with the other compensating controls to re-introduce security to the system). | 50 min |