SecTor 2025 | How a Mobile Drivers License App Became a Boarding Pass

It starts with a client and a late-night idea on a napkin. It turns into a SOC2-certified product trusted by Police, Government Agencies and the TSA. You'll hear how we partnered with an ambitious state to augment their physical Driver's License with a new Digital ID built from the ground up. One that lets you access public services, legally buy age-restricted items and even board planes with just your phone. In this 45-minute Briefing, you will walk away with: - A blueprint for turning any 'idea on a napkin' into a certification-ready release. - A pipeline template that performs security testing, triage, and pushes defects back to developer queues to ensure you don't go backwards. - A threat-model approach that you can copy and use to quickly gain confidence with teams and customers. - How to measure risk and establish an executive risk scorecard that gets to the finish line. - Lessons learned from breaking and fixing facial-recognition, blockchain/SSI claims, and how to attack 3rd party verification apps. Why does this matter? Unlike typical apps, failing here means anyone can forge an identity. With no mature framework to follow, we synchronised compliance, DevSecOps, and user-privacy across four orgs, three audit firms, and one very impatient legislature. Key stories we'll unpack: - What's going on with your data, and how an identity app works. - Building a security-as-code pipeline that ships and keeps auditors happy. - Breaking liveness detection and facial recognition implementations. - When the ground shifts and new interoperability standards cause fraudulent verifications. - How-to on achieving SOC2 certifications, encompassing everything from the mobile app to manufacturing plants. - How to prove security to clients: threat modeling, pen tests, and 3rd party assurance. - Integrating blockchain and self-sovereign identity. - Successfully launching the final product with TSA approval for boarding flights. If you've ever wondered how to 'secure it' when there are no roadmaps, no precedents, and the stakes are literally sky-high, this talk is for you. This session isn't just a story—it's a playbook for navigating the unknown, where security isn't just a requirement; it's the product. By: John Duffy | Director - ID/Payment Security, Canadian Bank Note Company https://ift.tt/xMLeDCf

source https://www.youtube.com/watch?v=1yK7ODoqyiE

SecTor 2025 | When Hackers Meet Burglars

Smart buildings blur the line between IT and physical infrastructure, connecting HVAC, lighting, access control, elevators, cameras, and more under a single "brain" called a Building Automation System (BAS). Drawing on real engagements against Canadian smart building deployments, this talk guides you through a red teaming exercise that uncovers both digital and physical attack paths. You'll see how attackers gather intel, probe entry points, exploit insecure IoT protocols, and seize control of critical systems. We'll examine live scans, protocol abuse and real world video demos. Finally, we will flip to defense mode, offering a practical blue team playbook. Attendees will leave with an actionable framework rooted in Canadian field experience, for both offensive engagements and OT focused defenses. By: Amir Hosseinpour | Offensive Security Specialist, White Tuque https://ift.tt/4hF7JVx

source https://www.youtube.com/watch?v=qNyJlfq-1RY

Black Hat Stories Episode 4 | Yaara Shriki, Threat Researcher at Wiz

In this episode, Yaara Shriki shares why Black Hat is an inspiring and educational experience for anyone in the field or just curious, offering a closer look at the people and innovations driving cybersecurity forward. #BlackHatStories #BHEU #BlackHat #cybersecurity

source https://www.youtube.com/shorts/n20_ZUBcoIM

Black Hat Stories | Yaara Shriki, Threat Researcher at Wiz

In this episode, Yaara Shriki, Threat Researcher at Wiz, shares her experience speaking at Black Hat Briefings for the first time, from pre-talk nerves to the excitement of presenting at one of the world’s leading cybersecurity events. She reflects on what makes Black Hat special, where professionals come together to learn from industry experts, connect with peers, and discover the latest ideas and innovations shaping cybersecurity. More than just a conference, Black Hat is an inspiring and educational experience for anyone in the field, or simply curious about it, offering a closer look at the people and advancements driving the industry forward. 🔗 Visit our site: https://blackhat.com/ 📧 Subscribe to our free newsletter: https://ift.tt/plwTdCL #BlackHatStories #BHEU #BlackHat #cybersecurity

source https://www.youtube.com/watch?v=5gI5EJ2IyGs

Connecting at Black Hat | Hear from the CEO & Founder of FuzzingLabs

What sparks a career in cybersecurity? Patrick Ventuzelo, CEO and founder of FuzzingLabs, shares how curiosity and a drive to understand systems led to a path in offensive security research, and why Black Hat is a place to connect with the global cybersecurity community. #BlackHatStories #BlackHat #cybersecurity

source https://www.youtube.com/shorts/qm4ceMivdrA

SecTor 2025 | Threat Architecture, Attack Surfaces & Real-World Risk

AI is ubiquitous, so no surprises that Physical AI is primed and ready to enter the market. Autonomous gadgets powered by AI brains are graduating from demos at trade shows into consumer-grade devices in 2025. Early contenders include: Samsung's Ballie, expected availability this summer; Hengbot's Sirius AI robot-dog, accepting deposits with shipping expected in September; and smart security cameras that decide "on-device" when to unlock doors or trigger alarms. These AI-powered edge devices embody Agentic Edge AI—systems that sense, reason, and act locally, optionally using the cloud for heavyweight analytics or fleet learning. This split architecture is what makes them susceptible to threats. By mixing safety-critical control loops with opaque fast-evolving AI models, they introduce new attack surfaces that neither traditional embedded security nor classic cloud-app SecOps cover. This talk examines the five-layer stack common to every edge AI agent—from perception to learning—highlighting security cracks identified by researchers and exploring how those cracks could translate into real-world impacts. We will present three realistic kill-chain scenarios from our research into Agentic Edge AI architecture: sensor-side prompt injection convincing a household robot a sleeping dog is a "burning sofa," triggering the sprinkler API and calling emergency services; adversarial vision patches allowing a stranger to bypass an AI doorbell's face whitelist; and federated-learning poisoning quietly degrading thousands of wearables through a single software update. For each case-study, we explore how the compromise travels through the software stack layers, which mitigations block the attack, and what still fails under pressure. Whether we are securing AI powered consumer gadgets, industrial robots, or municipal smart-city deployments, we'll need to harden these chatty little machines before they turn into our next cyber-attack entry point. By: Numaan Huq | Senior Threat Researcher, Trend Micro https://ift.tt/nV0uC8Q

source https://www.youtube.com/watch?v=wI8pDps93Pw

Black Hat Stories Episode 3 | Patrick Ventuzelo, CEO & Founder of FuzzingLabs

Patrick Ventuzelo, CEO and founder of FuzzingLabs, explains why Black Hat Europe and Black Hat USA are key events for sharing research and connecting with the fuzzing and offensive security community. #BlackHatStories #BlackHat #cybersecurity #BHEU #BHUSA

source https://www.youtube.com/shorts/8quCoE7I9DI

Bridging Research & Reality | Why Academics Attend Black Hat

On this episode of Black Hat Stories, Professor David Oswald from Durham University explains why Black Hat is essential for academics at every level. Hear how Black Hat bridges the gap between academic research and real-world security challenges. #BlackHatStories #BlackHat #cybersecurity

source https://www.youtube.com/shorts/ih2duj_zwjU

Black Hat Stories | Patrick Ventuzelo, CEO and Founder of FuzzingLabs

In this episode of Black Hat Stories, Patrick Ventuzelo, CEO and founder of FuzzingLabs, shares what first sparked an interest in cybersecurity and a passion for offensive security research, and how that led to building AI-powered tools to find vulnerabilities. Patrick highlights that Black Hat continues to serve as a top destination for presenting new research, connecting with the global community, and engaging with experts shaping the future of cybersecurity. 🔗 Visit our site: https://blackhat.com/ 📧 Subscribe to our free newsletter: https://ift.tt/dF9eS7q #BlackHatStories #BHEU #BlackHat #cybersecurity

source https://www.youtube.com/watch?v=HRCkDkPUp3M

Bridging Research & Reality | Why Academics Attend Black Hat

On this episode of Black Hat Stories, Professor David Oswald from Durham University explains why Black Hat is essential for academics at every level. Hear how Black Hat bridges the gap between academic research and real-world security challenges. 🎥 Watch the full story: https://youtu.be/U6ZV6m4hOaQ?si=-OwHc4GmESCcBjO1 🎟️Join us at Black Hat USA: https://ift.tt/Y0SZcqQ... 🔗 Visit our site: https://blackhat.com/ 📧 Subscribe to our free newsletter: https://ift.tt/M6k1d5f #BlackHatStories #BlackHat #cybersecurity

source https://www.youtube.com/shorts/VMZKLHg19ag

SecTor 2025 | Detecting Forbidden White Labeled and Counterfeit Devices

In 2022, the Canadian federal government banned the use of technologies from ZTE and Huawei in Canadian telecommunications networks, citing national security reasons. Bans on other manufacturers, such as Hikvision, are also under consideration. Technologies from these vendors may not be purchased, and existing installed devices must be removed. However, many of these devices are "white labeled": sold under a different name, by a local vendor...but peel back the label and the forbidden device remains. The same goes for too-good-to-be-true prices for equipment on auction sites: counterfeit copies of name-brand devices are not rare. This talk will discuss techniques to detect these devices, including Internet-wide statistical methods, and deep dives into telltale network protocol quirks. Learn how to tell if your expensive router (bought cheap!) really is the real thing, and whether your network really is free from forbidden devices. By: Rob King | Director of Applied Security Research, runZero, Inc https://ift.tt/oyAQ28W

source https://www.youtube.com/watch?v=tBHMShpXgaY