We R in a Right Pickle With All These Insecure Serialization Formats

The term pickle has become synonymous with insecurity in the modern python community and yet it remains one of the most prevalent serialization formats in the python ecosystem. However, pickle, despite its wide use, has been talked to death. In this talk, we will take a step back and look at the root problem, the use of bytecode driven serialization formats. We'll dissect both pickle and RDS, R's serialization format, giving a never before seen deep dive into the R language's main serialization format..... By: Kasimir Schulz | Principal Security Researcher, HiddenLayer Tom Bonner | Vice President of Research, HiddenLayer Full Abstract and Presentation Materials: https://ift.tt/20lzV9t

source https://www.youtube.com/watch?v=yrM1ryBaIJs

From Doxing to Doorstep: Exposing Privacy Intrusion Techniques used by Hackers for Extortion

Doxing, initially a practice for undermining hackers' online anonymity by "dropping docs", has evolved into a tool used for real-world extortion, employing violence-as-a-service tactics like "brickings", "firebombings" and "shootings". This escalation reflects a troubling trend where digital conflicts manifest physically and is facilitated by legal gray areas. The ambiguous stance on doxing in U.S. policy complicates accountability, making it a pressing concern for privacy and personal safety..... By: Jacob Larsen | Offensive Security Team Lead, CyberCX Full Abstract and Presentation Materials: https://ift.tt/nBwNeK9

source https://www.youtube.com/watch?v=sg3CpRQdBek

Main Stage: Understanding and Reducing Supply Chain and Software Vulnerability Risks

In complex software ecosystems, individual application risks are compounded. When it comes to mitigating supply chain risk, identifying backdoors or unintended vulnerabilities that can be exploited in your environment is just as critical as staying current with the latest hacking intel. Understand how to spot and reduce the risk to your environment and prevent disruption to your operation. By: Danny Jenkins | CEO & Co-Founder, ThreatLocker Full Abstract Available: https://ift.tt/uVHWpdv

source https://www.youtube.com/watch?v=js3SiZd5XNk

Keynote: Democracy's Biggest Year: The Fight for Secure Elections Around the World

2024 is the year for global democracy. The year when a record-breaking number of countries held national elections; when more than two billion voters cast ballots to shape the future of their nation and the world. In the foreground of this monumental moment, emerging technologies and heightened global tensions confront the resilience of even the world's longest standing democracies. This session will unpack how key international leaders are approaching election security risks to the democratic processes - such as cyber threats, foreign malign influence, and the role of generative AI - and ensure that 2024 is no anomaly, but an inflection point. Join CISA Director Jen Easterly, NCSC CEO Felicity Oswald, and ENISA COO Hans de Vries as they discuss the challenges of protecting democracy. By: Jen Easterly | Director, Cybersecurity and Infrastructure Security Agency (CISA) Hans de Vries | COO, European Union Agency for Cybersecurity (ENISA) Felicity Oswald OBE | CEO, National Cyber Security Centre (NCSC) Christina A. Cassidy | Reporter, The Associated Press Full Abstract Available: https://ift.tt/w3Yzh8G

source https://www.youtube.com/watch?v=vJxxzWgqlCQ

Navigating the Complex Challenges of Setting Up Efficient and Robust OT SOC Capabilities

In today's rapidly evolving industrial landscape, Operational Technology (OT) environments are increasingly targeted by cyber threats. As a result, the need for robust and efficient OT Security Operations Centers (SOC) has never been more critical. Unique constraints of OT environments, emphasizing the importance of near real-time threat detection, incident response, and the seamless integration of OT SOCs with existing IT SOCs. How to address key topics such as regulatory compliance, workforce training, and the adoption of advanced technologies like AI and machine learning. The influence those technologies have on building future-proof, OT focused SOC framework. How to establish a successful OT SOC? How to put the right governance structure in place so that IT and OT could successfully cooperate during incident response? What are the main risks and what should be taken into consideration? Different types of SOC deployment will be presented as well as best industry standards and captivating use cases. By: Piotr Ciepiela | Partner, EY Full Abstract Available: https://ift.tt/O40jl6t

source https://www.youtube.com/watch?v=mWgMtkhz39E

You've Already Been Hacked: What if There Is a Backdoor in Your UEFI OROM?

While there have been several studies on inserting malicious code into UEFI OROM (Option ROM), none of them have focused solely on UEFI OROM itself; instead, OROM has been used for auxiliary purposes such as ensuring persistence or as a temporary buffer for lateral movement. Therefore, there is a lack of clarification on what actions a backdoor in UEFI OROM could perform and its potential benefits. This presentation aims to organize the benefits and infection scenarios of placing a backdoor in UEFI OROM. It will delve deeply into the stealthiness and potency of OROM backdoors, followed by demonstrations of three novel PoC OROM backdoors targeting Windows. This PoC utilizes multiple novel evasion techniques, including communication with a C2 server during boot, execution of malicious code at both kernel and userland levels solely through a runtime DXE driver, concealing malicious tasks during the boot phase, and bypassing CFG/ACG using partial identity mapping. Lastly, strategies for defending systems against OROM backdoors will be discussed, along with an introduction to the research and initiatives needed for such protection. By: Kazuki Matsuo | Security Researcher, Waseda University and FFRI Security Full Abstract and Presentation Materials: https://ift.tt/5UVQBby

source https://www.youtube.com/watch?v=_S6EymfaBqQ

Will We Survive the Transitive Vulnerability Locusts?

Transitive vulnerabilities are the most hated type of security issue by developers, and for a good reason: transitive dependencies are the most common source of vulnerabilities in software projects. However, yet still, only a tiny number of them are exploitable. This talk will present our research findings on quantifying the risk of known vulnerabilities in modern software applications and the prevalence of exploitable transitive dependencies in real-world applications. While each vulnerability may have a slight chance of exploitation, the sheer number of transitive dependencies amplifies the risk significantly. This data underscores the importance of our discussion and the need for effective strategies to mitigate these risks in your software projects. We will present a PoC exploit for a real-world transitive dependency vulnerability and demonstrate how an attacker can compromise the application by exploiting a vulnerable transitive dependency. We will also discuss practical strategies for mitigating the risks associated with transitive dependencies and how to prioritize addressing them in your threat model. By: Eyal Paz | VP of Research, OX Security Liad Cohen | Data Scientist and Security Researcher, OX Security Full Abstract and Presentation Materials: https://ift.tt/2u1gySM

source https://www.youtube.com/watch?v=DVlFHen9hh0

What Lies Beneath the Surface? Evaluating LLMs for Offensive Cyber Capabilities

What Lies Beneath the Surface? Evaluating LLMs for Offensive Cyber Capabilities through Prompting, Simulation & Emulation Large Language Models (LLMs) show remarkable aptitude for analyzing code and employing software, leading to concerns about potential misuse in enabling autonomous or AI-assisted offensive cyber operations (OCO). Current LLM risk assessments present a false sense of security by primarily testing models' responses to open-ended hacking challenges in isolated exploit/action scenarios, a bar which today's off-the-shelf LLMs largely fail to meet. This fails to quantify graduated risks that LLMs may be capable of being adapted or guided by a malicious adversary to enable specific preferred tactics and techniques. In effect, this has left cyber defenders without a confident answer to the question "Does this LLM actually pose an offensive cyber threat to my system?" We address this gap by developing a more granular and repeatable means to measure, forecast, and prioritize defenses to near-term operational OCO risks of LLMs. In this talk, we present a rigorous, multifaceted methodology for evaluating the extent to which a given LLM has true offensive cyber capabilities. This methodology includes not only LLM prompt and response evaluation mechanics but also high-fidelity cyber-attack simulations and emulation test scenarios on real cyber targets. In effect, with our evaluation framework, selected LLMs are put through a barrage of repeatable tests, scenarios, and settings to elicit whether ever increasing levels of offensive cyber capabilities exist within the model's capacity. For this talk, we will detail our LLM evaluation methodology, technical implementation and tooling, provide results from our initial round of LLM evaluations, and have a real demonstration of an LLM evaluation for offensive cyber capabilities. Copyright 2024 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Case 24-1222. By: Michael Kouremetis | Principal Adversary Emulation Engineer, MITRE Marissa Dotter | Senior Artificial Intelligence Engineer, MITRE Alex Byrne | Applied Cybersecurity Engineer, MITRE Dan Martin | Senior Offensive Security Engineer, MITRE Ethan Michalak | Cybersecurity Engineer, MITRE Gianpaolo Russo | Principal Engineer, MITRE Michael Threet | Principal AI Research Engineer, MITRE Full Abstract and Presentation Materials: https://ift.tt/OrkSG2W

source https://www.youtube.com/watch?v=p9T4gWds54o

Use Your Spell Against You: Threat Prevention of Smart Contract Exploit By Reusing Opcode Trace

With the increasing number of attacks on decentralized finance (DeFi) protocols, the losses caused by DeFi attacks have become a significant concern. To protect the security of DeFi protocols, contract code audits have gained attention in the industry. However, hundreds of cases still exist where these audited projects are attacked. Since traditional code-centric approaches are not enough to fully address these threats, we argue that proactive threat prevention is needed to block attacks and recover losses when an attack occurs. Our method takes advantage of the time difference between the attack transaction broadcasting and confirming. Specifically, we can automatically reconstruct the attack contract and broadcast a block transaction to front-run the attack transaction. The reconstructed contract can preserve the original attack logic while bypassing access control and replacing the revenue address. We have developed a system called IRONDOME by solving multiple technical challenges. The evaluation of historical attacks shows that our system can block 78 DeFi attack incidents in their corresponding chain state, including 31 incidents with anti-front-running strategies. The real deployment of our system has successfully blocked multiple attacks on Ethereum and BNB and saved more than 10 million USD assets of users in the past year for ten DeFi protocols. By: Yajin Zhou | Professor; CEO, Zhejiang University; BlockSec Full Abstract and Presentation Materials: https://ift.tt/1bZz7JR

source https://www.youtube.com/watch?v=Gqxc9zf0OZY

Unveiling Mac Security: A Comprehensive Exploration of Sandboxing and AppData TCC

The security architecture of modern operating systems is intricate and layered. To effectively challenge these defenses, attackers must extensively audit the security policies of the operating system across various dimensions. In July 2023, the speaker redirected their focus from Android and IoT vulnerabilities to those within macOS. This transition was motivated by an intent to adapt methodologies typically employed by Android security researchers for use in macOS environments, which subsequently led to the identification of numerous vulnerabilities. In this presentation, the speaker will introduce a generic method for escaping macOS application sandboxes. Additionally, the speaker will discuss a permission granting mechanism on macOS Moreover, macOS 14.0 introduced new TCC protections, preventing non-sandboxed apps from accessing the private container folders of sandboxed apps. Previously, executing a malicious non-sandboxed app could leak sensitive data from sandboxed apps like WeChat, Slack, and WhatsApp. However, this is no longer possible on macOS due to the new TCC protections. The speaker will explain how macOS implements these new TCC protections, which are complex and involve multiple high-privilege system processes and Sandbox.kext. If abused, there is potential to gain access to arbitrary files. By: Zhongquan Li | Senior Security Researcher, Dawn Security Lab, JD.com Qidan He | Director, Chief Researcher, Dawn Security Lab, JD.com Full Abstract and Presentation Materials: https://ift.tt/UXYz8u1

source https://www.youtube.com/watch?v=v1wIPaJT7x8

Unraveling the Mind Behind the APT - Analyzing the Role of Pretexting in CTI and Attribution

Interested in buying a new car or attending a free wine tasting event? Well, there's at least one Advanced Persistent Threat (APT) group that hopes you are! This talk delves into the phishing campaigns sent by the world's most sophisticated APTs. It examines an extensive collection of thousands of APT phishing emails, sometimes associated with major security breaches, tracing the evolution of these cyber threats over time. The focus is particularly on the pretexting and persuasion tactics employed by these actors, and the potential for attributing attackers based on these strategies. With a large volume of emails to analyze, a local Large Language Model (LLM) is trained to extract underlying pretext and persuasion techniques. Additionally, this enriched dataset is trained to categorize these emails according to a custom classification framework designed for this purpose and predict the author of a new phishing campaign according to these features. This approach not only helps in understanding how APTs lure individuals into their malicious activities but also enhances the capability of threat intelligence analysts to attribute new campaigns to known threat actors. Attend this talk for insights into the classification and attribution of APT spear phishing emails, uncovering the often underestimated role of pretexting and persuasion in attribution and showcasing several successful cases where this concept aided in attributing attacks. By: Sanne Maasakkers | Senior Analyst, Mandiant (Part of Google Cloud) Full Abstract and Presentation Materials: https://ift.tt/2BOTglU

source https://www.youtube.com/watch?v=NmSlCsDWKoA