Listen to the Whispers: Web Timing Attacks that Actually Work

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this session, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface. This is not a theoretical threat; every technique will be illustrated with multiple real-world case studies on diverse targets. Unprecedented advances have made these attacks both accurate and efficient; in the space of ten seconds, you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required. In other words, I'm going to share timing attacks you can actually use. To help, I'll equip you with a suite of battle-tested open-source tools enabling both hands-free automated exploitation, and custom attack scripting. I'll also share a little CTF to help you hone your new skillset. Want to take things further? I'll help you transform your own attack ideas from theory to reality, by sharing a methodology refined through testing countless concepts on thousands of websites. We've neglected this omnipresent and incredibly powerful side-channel for too long. By: James Kettle | Director of Research, PortSwigger Full Abstract and Presentation Materials Available: https://ift.tt/L96WBr3

source https://www.youtube.com/watch?v=LDy7-xBvsfo

BH Asia 2025 Trainings & Briefings Vertical Sizzle Reel - 15 sec

source https://www.youtube.com/watch?v=-d2-iJRb3CE

Black Hat Asia 2025 Trainings and Briefings Video - 30 Sec

source https://www.youtube.com/watch?v=pSI0oV_S1cg

Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access

In this talk we will explore vulnerabilities in Amazon Web Services (AWS) products which allowed us to gain access to cloud environments. Traditionally, adversaries have abused misconfigurations and leaked credentials to gain access to AWS workloads. Things like exposed long-lived access keys and exploiting the privileges of virtual machines have allowed adversaries to breach cloud resources. However, these mistakes are on the customer side of the shared responsibility model. In this session, we will cover vulnerabilities in AWS services that have been fixed and that previously allowed us to access cloud resources. We will start with an exploration of how Identity and Access Management (IAM) roles establish trust with AWS services and cover the mechanisms that prevent an adversary from assuming roles in other AWS accounts. We'll then demonstrate a vulnerability that bypassed those protections. We'll cover a real world example of a confused deputy vulnerability we found in AWS AppSync that allowed us to hijack IAM roles in other accounts. Next, we'll highlight potential misconfigurations involving IAM roles leveraging sts:AssumeRoleWithWebIdentity. These misconfigurations could permit unauthorized global access to these roles without the need for authentication, affecting services like Amazon Cognito, GitHub Actions, and more. Finally, we'll cover a vulnerability we found in AWS Amplify that exposed customer IAM roles associated with the service to takeover, allowing anyone the ability to gain a foothold in that victim account. We'll also discuss how security practitioners can secure their environments, even against a zero-day like one we'll demonstrate. Join us to learn how attackers search for and exploit vulnerabilities in AWS services to gain access to cloud environments. By: Nick Frichette | Staff Security Researcher, Datadog Full Abstract and Presentation Materials: https://ift.tt/Pstmazu

source https://www.youtube.com/watch?v=rykpVoAQiSI

In Defense of Facts: Setting Standards Against Information Threats

When it comes to cybersecurity incident response, getting to patient zero is one of the most important factors. Millions of dollars are spent annually by the cyber vendor ecosystem to reduce MTTD (mean time to detect), which in large part requires them to be able to cut through the security 'white noise'. With the rise of MDM (mis/dis/malinformation), do these technologies and the methodologies behind them translate one for one? Unfortunately, they don't. The reason for the complexity found in MDM is in its ambiguous nature. This is a more complex issue, even compared to polymorphic malware generated by AI. Why? Because we are trying to put form and structure around intent. We are trying to take a qualitative concept, perhaps the qualitative quandary of the year (given the 2024 elections) and quantify the threat in a consistent and accurate manner – one that is actionable. This methodology is not only needed for identification purposes but ideally will help support actions, such as holding those responsible when they break the law. However, this is hard, if not impossible to do when you have entities like the federal government who encourage people to report anything they consider threats on social media, without guidance or clarity around what constitutes a threat. Given the sheer volume of MDM that Maricopa County faces, we have developed standards not only around reporting MDM but what constitutes a threat, what kind it is and the potential types of risk against the organization. This has helped increase the fidelity of our threat intelligence we share with our partner as well as establish business-centric thresholds around identified risks that we can put our limited resources towards investigating. As the threat of MDM increases, we believe that all organizations, regardless of sector but especially the federal government, should adopt a common taxonomy around MDM threats. By: Lester Godsey | CISO, Maricopa County Full Abstract and Presentation Materials: https://ift.tt/Wl7Te2b

source https://www.youtube.com/watch?v=o1NG6Pecewg

ICS Risk: Strategies for Assessing Operational, Safety, Financial, and Cybersecurity Risks

ICS Risk Management: Strategies for Assessing and Mitigating Operational, Safety, Financial, and Cybersecurity Risks In the evolving landscape of Industrial Control Systems (ICS)/Operational Technology (OT), managing cyber security risks has become a paramount concern for critical infrastructure operators, manufacturing companies and other OT asset owners. This panel session brings together industry-leading OT security experts to discuss viable strategies for assessing and mitigating risks associated with common control systems / OT. The panel will delve into the complexities of operational, safety, as well as financial and cybersecurity risks which organizations running ICS/OT face in the current digital age. Our experts will share insights and experience from the industrial space on how to approach topics such as e.g. asset visibility and vulnerability identification, assess the level of risk, and implement effective mitigation strategies. The panelists will also explore the latest OT threats and attack campaigns, as well as the relevance of common protective technologies for getting a security grip on ICS/OT, providing attendees with up-to-date knowledge to take with them for improving ICS/OT security in their organizations. This session is a must-attend for anyone relying on ICS/OT in their business or organization, or those who are responsible for or wish to gain a deeper understanding of the current developments, challenges and solutions in the field of ICS/OT security. By: Daniel Cuthbert | Global Head of Security Research Thomas Brandstetter | Founder, Limes Security Noam Moshe | Vulnerability Researcher, Claroty Team82 Cassie Crossley | Vice President, Supply Chain Security, Schneider Electric Full Abstract Available: https://ift.tt/hMrlu2C

source https://www.youtube.com/watch?v=Ifimg-1tsLo

Hook, Line and Sinker: Phishing Windows Hello for Business

In my presentation, I will share a method to phish the phishing-resistant authentication mechanism, Windows Hello for Business (WHfB). Despite WHfB's design to provide secure authentication through cryptographic keys, my research uncovers a method that allows attackers to downgrade this secure method to a more vulnerable, phishable one. My research reveals how attackers can intercept and modify POST requests to Microsoft's authentication services and manipulate the system into defaulting to a less secure authentication method. This is achieved by altering parameters such as User-Agent or isFidoSupported in the authentication request. I will detail the exploitation process, showing how I have modified the EvilGinx framework to automate the attack, making it scalable. Furthermore, I will discuss mitigation strategies, specifically focusing on the implementation of conditional access policies that leverage authentication strength — a feature introduced after reporting the issue to Microsoft, designed to enforce the use of phishing-resistant methods. This presentation aims to shed light on this flaw, to provide a deeper understanding of Windows Hello for Business and to encourage the adoption of enhanced security measures. By: Yehuda Smirnov | Red Team & Security Researcher, Accenture Full Abstract and Presentation Materials Available: https://ift.tt/cfkshNT

source https://www.youtube.com/watch?v=UnudlFeHlrU

From Weapon to Target: Quantum Computers Paradox

Everyone's focused on the power of quantum computers to shatter classical encryption. But in the race to harness this revolutionary technology, a crucial question remains unanswered: how secure are the quantum machines themselves? We've been so fixated on what these machines can break, we've neglected to ask how secure they are - creating a potential chink in the armor of the quantum future. This presentation delves deep into the untapped attack surface of quantum computers. We'll examine popular quantum platforms like IBM and IonQ, and the quantum software development kits users rely on, like Qiskit. We will also demonstrate how to abuse weaknesses in the quantum software stack. We'll showcase how attackers can steal authentication tokens, essentially impersonating users, and even inject malicious code into their programs. This can lead to the theft of valuable user credits and the sabotage of intended results. But the vulnerabilities extend beyond software. We'll unveil proof-of-concept attacks that manipulate the way quantum processing units (QPUs) reset their qubits. This allows attackers to steal results from previous computations before the reset, or even tamper with ongoing calculations. We'll even explore how crosstalk – the unintended influence between qubits – can be exploited to inject faults into circuits run by other users on the same QPU. Quantum computing holds immense potential, but so does the responsibility to secure it. By understanding and addressing these vulnerabilities today, we can build a more secure quantum ecosystem. By: Adrian Coleșa | Senior Security Researcher, Bitdefender Sorin Boloș | Quantum Software Engineer, Transilvania Quantum Full Abstract and Presentation Materials Available: https://ift.tt/lfs5yG3

source https://www.youtube.com/watch?v=11W7ooklX7I

From HAL to HALT: Thwarting Skynet's Siblings in the GenAI Coding Era

This talk explores the transformative impact of GenAI on software development and its subsequent implications for cybersecurity. With GenAI, developers are shifting from traditional code reuse to generating new code snippets by prompting GenAI, leading to a significant change in software development dynamics. This advancement introduces new AppSec challenges as AI-generated code from LLMs trained on vulnerable OSS leads to vulnerable generated code. The higher code velocity enabled by generated code turns into higher vulnerability velocity and all the challenges velocity brings to security testing and remediation. The OSS training data set is also susceptible to data poisoning attacks. To make matters worse, developers, who should be the "person-in-the-middle", tend to trust GenAI created code more than human created code. This presentation will delve into real-world data from multiple academic studies, examining how GenAI is reshaping software security landscapes, the associated risks, and potential solutions to mitigate these emerging challenges. By: Chris Wysopal | CTO & Co-Founder, Veracode Full Abstract and Presentation Materials Available: https://ift.tt/VvekuX3

source https://www.youtube.com/watch?v=uv4AD6ICcfE

Foreign Information Manipulation and Interference (Disinformation 2.0)

Foreign Information Manipulation and Interference (Disinformation 2.0) Based on Learnings from 30 Years at NATO Over the past decade, foreign information manipulation and interference (FIMI) operations have grown in complexity and scope. The speed, availability, and cohesion of tools and tactics employed by foreign malign actors have increased in recent years as the result of increasing global interconnectivity via social media and the internet at large, as well as technological advancements - such as rapid improvements in generative AI - that increasingly enable faster, better, and cheaper FIMI operations and tactics including deep fakes, and manipulated content including text, images, audio, and video. Additionally, these campaigns increasingly seek to destabilize the very foundations of target countries - undermining democratic principles through the targeting of elections, eroding public trust in institutions and local media, and exploiting social divisions to distract and subvert the target's efforts toward progress. Although attribution is not always straightforward on social media, it often becomes obvious through narrative analysis and social network analysis that foreign actors and the ecosystems they cultivate online covertly try to influence international public opinion on a wide range of topics and issues by amplifying polarization and eroding democratic discourse. The speaker will walk the audience through some case studies that highlight recurring patterns and how there is often a link between different tactics, techniques, and procedures (TTPs) - such as usage of proxies, usage of sock puppet accounts, and increasing usage of generative AI to support their activities. By: Franky Saegerman | Former NATO Analyst Full Abstract and Presentation Materials Available: https://ift.tt/QgPv2Xk

source https://www.youtube.com/watch?v=I5tZlIpWMWM

Driving Forces Behind Industry 4.0 and Digital Transformation for Critical Infrastructure

Critical Infrastructure functions, and the interdependent architecture which serve it, are transforming from a largely analog, centralized system, to a digital distributed and virtually orchestrated environment. This transformation is being driven by challenges in increasing demand, aging infrastructure, and the urgent need to reduce the impact of that delivery on the environment and climate globally. Digital transformation represents a strategic response to these challenges, offering opportunities to enhance energy delivery reliability, resilience and cost. As the industry moves to 4.0 and future generations, there are new virtualization features in this digital environment which could increase our cyber risk without adequate management and holistic planning. The digital transformation of industrial control systems discussed in this presentation will focus on enhancing Resilience and Reliability in this new paradigm, to operate, withstand and recover from adverse events. By: Emma Stewart | Chief Power Grid Scientist, Idaho National Laboratory Full Abstract Available: https://ift.tt/o5M8xL1

source https://www.youtube.com/watch?v=ffsrRKE5j9s