Conference Agenda

November 18, 2023
Speakers and timing may be subject to change

TimeActivitySpeaker
0900 – 0945Check-in & Coffee Social
0945 – 1000Opening Ceremonies
1000 – 1100Building trust, capacity, and connection in reproductive justiceIngrid Skoog
1100 – 1130Acting on Available Intelligence: Emulation Plans to Harden Cyber DefensesAlex Martirosyan
1130- 1230Security Research: Finding, Disclosing, and Reporting Vulnerabilities in 2023Bobby Rauch, Amit Serper, Jonathan Leitschuh
1230 – 1300lunch break
1300 – 1330Socially Malicious: Discord as Malware InfrastructureAndy Thompson
1330 –
1415		Lightning Talks:
* Scaling Security at a Start-up
* How to Build a Privacy Program in 10 Easy Steps
* Deployment Checks for a Secure Environment		Misha Yalavarthy,
JO Bowker,
Priya Puranik
1415 – 1445Who Goes There? Actively Detecting Intruders With Cyber Deception ToolsDwayne McDaniel
1445 – 1500coffee break
1500 – 1530Don’t Trust Identity Providers: Authentication on the Modern Web without Single Points of Compromise Ethan Heilman
1530 – 1600Ape Tax: what million-dollar NFT heists can teach us about security principlesRyan Cohen
1600 – 1615Closing Ceremonies
2023 Conference Agenda

Check in & Coffee Social
Grab your badge and chat with community members!

Opening Ceremonies
We’ll take a brief moment to welcome everyone, go over any last-minute business, and then get started with the conference!

Building trust, capacity, and connection in reproductive justice
Ingrid Skoog (she/her)

  • Cover the experience of supporting reproductive justice in the US in a pre- and post-Dobbs World.
  • Work to build trust, capacity, and connection within and among the abortion access movement and technology communities.
  • What is needed from volunteers?
    • Can have many different backgrounds and skill sets
    • Important to be vetted – people are our biggest strength and our biggest vulnerability
      • We’ve seen that criminalization mainly happens after people turn someone in for a self-managed abortion, not because of any tech dragnet. (The dragnet is helpful for the police after someone’s already on their radar.)
      • There’s no tech solution for infiltration, although there are things that can help.
    • Explain how organize with volunteers via Slack, regular meetings, and community project board
      • Drop in some examples from board of tech skills needed across some projects
    • Give past experience examples of ways have helped
      • Common user challenges of getting Signal installed and set up properly on a desktop
      • Thinking through end user experience with a website – how can information be presented to get them what they need in the safest way possible?
    • Challenges of understanding how to provide support in the right way
      • Don’t tell people what they need – folks are the experts of their own circumstances
      • Letting go of assumptions
      • Understanding how to find the answers when you don’t have them
    • Importance of infosec being accessible to folks on the ground
      • Making it fun
      • Representation matters. When people don’t see themselves and the issues they struggle with represented in the infosec community & discussion, they tune out. Volunteers doing infosec become an outside entity, leading to more adversarial relationships than are necessary.
      • Perfect as the enemy of the good. It’d be great if everyone seeking abortions was on Signal & Tor, but that’s not going to happen. It’d be wonderful if we had super secure, non-commercial tech for every use case, but people just need to do their jobs and sometimes that means using GSuite and Slack.

Security Research: Finding, Disclosing, and Reporting Vulnerabilities in 2023 (Panel Discussion)
Bobby Rauch, Amit Serper, Jonathan Leitschuh

Whether it be in messaging clients, transit systems, IoT Devices, or free and open source software (FOSS), security researchers finding and reporting vulnerabilities is one of the backbones of a secure digital panopticon. The security research community is one of the most active and passionate communities within information security, who care deeply about securing the digital ecosystem. This panel discussion will be held by three local security researchers, whose research work has been presented at major conferences and featured in every major tech news outlet including Krebs on Security, Bleeping Computer, the Verge, Hacker News, Dark Reading, and more.

The panel will talk about everything security research including:

– The security research mindset

– How to craft a research plan: deciding what to research, how long to research it for, and deciding what the final objective is

– What is the process for finding vulnerabilities and how do you conduct research in a responsible way

– What is different about researching an IoT device compared to FOSS

– Lessons learned from years of research and responsible disclosure to different organizations

– How individuals can go about using their talents to help secure their community

Socially Malicious: Discord as Malware Infrastructure
Andy Thompson

Discord, the popular online chatting service, has become a target for cybercriminals looking to steal personal information and money from its users. The CyberArk Malware Research Team recently discovered a new malware called Vare, which is distributed over Discord and used to target new malware operators by using social engineering tactics. The malware is linked to a new group called “Kurdistan 4455” based in southern Turkey and is still in its forming stage. This presentation will discuss the origins of malware on Discord, how attackers are using Discord’s infrastructure to distribute malware, and the unique challenges of monitoring and mitigating this type of threat. The presentation will also provide a technical analysis of Vare, including its methods of obfuscation and payload delivery. Finally, the presentation will discuss the motivations of the “Kurdistan 4455” group and how they are using Discord to launder money and conduct hacktivism.

Outline

  1. Introduction
  • Overview of Discord and its popularity
  • Explanation of Discord Nitro and its desirability among users
  • Brief history of malware on the platform
  1. Methods of Discord Malware
  • Misuse of Content Delivery Network
  • Misuse of Discord’s API
  • Webhooks
  • Injecting Code into Discord

III. Technical Analysis of Vare

  • Overview of Vare’s code
  • Veerus obfuscation layers
  • Empyrean main functionality
  • Vare custom code
  1. “Kurdistan 4455” Group
  • Origin of the group
  • Motivations for targeting Discord
  • Examples of their activities
  1. Challenges of Monitoring and Mitigating Discord Malware
  • Difficulty of differentiating between malicious and benign files
  • Difficulty of monitoring and blocking C&C communication channels
  • Difficulty of protecting against webhook misuse
  1. Conclusion
  • Summary of key points
  • Discussion of the future of Discord malware and its potential impact on corporate developers

How to Scale Security at a Start-up (Lightning Talk)
Misha Yalavarthy (she/her)

Starting a security program from scratch can be challenging to navigate, especially at a company that is quickly scaling. Being part of a small security team does not mean that your impact can’t be big. Developing the ability to strategically prioritize your time through different stages of a security program in relation to a company’s growth is critical. When do you build specialize teams? When are you ready to start a bug bounty program? What does building D&R from scratch look like? These are some of the questions I hope to help answer with my talk.

How to Build a Privacy Program in 10 Easy Steps (Lightning Talk)
JO Bowker

Anyone with a ton of privacy knowledge, spare time on their hands, and a healthy budget can build a great privacy program. It involves a ton of upfront work, including a comprehensive data map, getting Privacy Counsel involved, and ongoing maintenance and improvement. So if a great program isn’t feasible right now, you can ignore the problem or build a basic program. It’s easier to have a good program and improve it over time, than have nothing with the hope of implementing a great program someday. This presentation will explain, in 10 easy steps, how to build a basic privacy program from scratch, as well as next steps to turn a good privacy program into a great one.

Deployment Checks for a Secure Environment (Lightning Talk)
Priya Puranik (she/her)

According to OWASP, 90% of the applications have security misconfigurations. It is crucial that developers are familiar with common misconfigurations and they are identified early in the coding process which makes it most effective and least disruptive for infrastructure deployment. The ratio of security professionals to developers is 1:80 at best which makes it difficult for manual review for each cloud deployment.

The presentation will be divided into the following sections:

  1. Fundamental concepts of Infrastructure-as-Code and Policy-as-Code
  2. Build-time vs run-time security checks
  3. Overview of open source and enterprise tools
  4. High level overview of Wayfair’s journey

Who Goes There? Actively Detecting Intruders With Cyber Deception Tools
Dwayne McDaniel (he/him)

Intrusion detection works best when you can discover the attacker while they are still in the system. Finding out after the fact does little to protect your systems and your data.

Ideally, you would want to set an alarm that an attacker would trigger while limiting the damage to your environment.

We know from many recent breaches that attackers commonly try to expand their foothold in a system by finding and exploiting hardcoded credentials in environments they have accessed. We can use these behavioral patterns to our advantage by engaging in defensive cyber deception.

You might already be familiar with the concept of honeypots, false systems, or networks meant to lure and ensnare hackers. There is a subclass of honeypots that require almost none of the overhead, are simple to deploy, are used by many industries, and lure attackers into triggering alerts while they are trying to gain further access. The industry has arrived at the term honeytoken for this branch of cybersecurity tooling.

Takeaways:

– Analysis of recent breaches for common attack behaviors

– A history of cyber deception and the evolution of honeypots in defensive strategies.

– Understanding how honeytokens work

– Maximizing the impact of honeytokens

Don’t Trust Identity Providers: Authentication on the Modern Web without Single Points of Compromise
Ethan Heilman (he/him)

Abstract:

OpenID Connect is the ubiquitous Single Sign On (SSO) authentication mechanism used on the modern web, but its security depends on a number of trusted parties. Chief among these are Identity Providers (IdPs). A compromised or malicious IdP results in a total loss of security for any relying users or organizations.

In this talk we introduce OpenPubkey, an extension to OpenID Connect, which adds user-held signing keys. This enables a user, say Alice@example.com, to cryptographically sign messages under her OpenID identity such that anyone can cryptographically verify that these messages are from Alice@example.com. OpenPubkey does this without requiring changes at the Identity Providers (IdPs). Not only is OpenPubkey compatible with OpenID Connect, it is transparent to
Identity Providers. A variant of OpenPubkey is deployed and being used to sign messages for users at IDPs such as Google, Microsoft, Okta, and Onelogin.

Finally we show how OpenPubkey reduces and eliminates the trust placed in various parties in OpenID Connect and can maintain security even against a malicious OpenID Provider (the most trusted party in OpenID Connect). This enables developers to leverage IdPs and OpenID Connect
to build end-to-end authenticated web applications without needing to assume that the IdPs will behave honestly.

OpenPubkey is made available as open source under the Apache 2.0 license.

Ape Tax: what million-dollar NFT heists can teach us about security principles
Ryan Cohen (he/him)

The Ethereum NFT project known as Bored Ape Yacht Club (BAYC) unintentionally cultivated a natural cybersecurity experiment: what happens when you take a community of enthusiastic and credulous people with limited experience with public-private key cryptography, and put them in a position where they have to protect their private keys? 

The answer, perhaps predictably, is rampant theft of those keys totaling several million dollars in damages (so far). Since the launch in 2021, BAYC holders have had so many of their apes (private keys) stolen, they’ve garnered a reputation for being easy targets for thieves. 

As much fun as it is to point and laugh at people who paid thousands of dollars in magic internet money for a URL pointer to a hideous ape jpeg, the BAYC incidents also offer good learning examples for the cybersecurity community at large. We will look at a few high-profile incidents and talk about what lessons we can glean about key management, the importance of usability, and social engineering.

Closing Ceremonies
Wrapping things up for the day!