One thing is for sure about 2020: it’s a year that will stick out in our memory for the rest of our lives. Luckily, in spite of many on-site, in-person events being cancelled, many transitioned to a virtual environment. While the scene may have shifted drastically, we still saw some amazing security research, trainings, and content.
We’ve compiled some of our favorite security talks that you may have missed in the chaos of 2020. With the year coming to a close, take a bit of time to learn something new from the community:
Why We Like It: Sometimes something created to help us can be turned against us. Joshua Maddux’s DEF CON talk demonstrates this concept when he showed how to leverage TLS as an attack vector via the common security vulnerability server-side request forgery (SSRF). At a high level, it’s possible to use the Server Name Indication (SNI) feature of TLS to force a user to navigate to a malicious domain. You can then do “DNS rebinding” – and eventually get access into otherwise unreachable local services, leading to data exfiltration. It’s an attack with potential to do massive harm, but Maddux also provides mitigation recommendations for defenders. Knowing how an attack would play out is the best way to prevent them.
Why We Like It: Besides the fact that Jon Williams is an Operator on the Bishop Fox CAST team, this is an excellent primer on how to escalate privileges – and get code execution (and even backdoor access) – in the ubiquitous source code static analyzer SonarQube. Attackers frequently target SonarQube misconfigurations in the wild, so this talk will help you maximize your impact should you encounter the application during a client engagement.
Why We Like It: Leron Gray, a member of the Microsoft Azure red team, provides an in-depth walkthrough of an exploit in an Azure environment and demonstrates how to gain administrator credentials. His talk culminates in gaining global administrator-level access to a virtual machine. Yikes. His realistic examples are easy to follow and just as easy to put into action. Gray’s talk is also a good reminder to double-check the permissions in your Azure environment, if you’re able to do so. (Also, fun fact, Gray moonlights as a nerdcore rapper.)
Why We Like It: In December 2019, we published a blog post by Senior Security Engineer Caleb Gross detailing a critical-risk vulnerability affecting Telerik UI. This talk Gross gave at DerpCon uses that particular high-profile CVE as an example of how .NET deserialization works. It’s an extremely useful deep dive into testing for deserialization vulnerabilities in .NET software.
Why We Like It: “Russian hacking” is a bit of a tired phrase, but Jorge Orchilles offers an interesting look into the Russian advanced persistent threat group known as “Cozy Bear.” Orchilles uses the deceptively named Cozy Bear as a threat model for red teams. Through that lens, this talk has some useful and actionable insight. If you’re new to the world of red teaming, Orchilles shares plenty of detailed methodologies and frameworks as well as steps involved in an adversary emulation exercise.
Why We Like It: Thanks to the stuck-mostly-at-home nature of 2020, home labs (perfect for finetuning your testing skills) have been having something of a moment. Chris Myers demonstrates that it’s entirely possible to set up a home lab in the cloud without any equipment. We love that the talk focuses on lowering any possible barrier to entry for establishing a cloud lab. One particularly noteworthy item about this talk is how it emphasizes the rapid availability and ease of use for cloud infrastructure. It’s become increasingly easier to simulate a Fortune 100 organization’s infrastructure via a home lab, allowing you to better your skills on a real-world environment with plausible misconfigurations (just like an organization would likely have in their environment).
Pro Tip: If you’re looking to build a hardware lab, you can check out our guide here.
Why We Like It: OSINT can be quite a time suck, and when you’re working on a client engagement (or even just playing around with bug bounties), you don’t necessarily want to waste hours trying a number of OSINT tools to get intel on a target. So, in that spirit of “work smarter, not harder,” here’s a SANS@MIC TALK by Micah Hoffman that will help you explore additional outlets that can make OSINT so much easier. And not only is this helpful from an OSINT perspective – but this is a great reminder of how even swearing off social media won’t protect your information.
Why We Like It: If you compete in CTFs, watch this talk by Bishop Fox’s experienced CTF player Barrett Darnell (who competed in the SANS NetWars: Tournament of Champions in 2019). If you have yet to compete in a CTF but are curious, then check out this talk so you have a leg up on your competition when you decide to do one. Darnell provides his recommendations and strategies and shares how competing in CTFs can make you an all-around better pen tester.
Why We Like It: Deepfakes are kind of a buzz topic and they can incite a lot of fear. However, Erich Kron demystifies deepfakes in this must-watch BSides NoVA talk. He breaks down how deepfakes are formed, the technology attackers use to create them, and how deepfakes can be used as a powerful social engineering tool. Kron handles this clickbaity subject matter with aplomb; you can recommend this talk to any non-security person in your life who may be a little nervous about the possibilities deepfakes present.
Why We Like It: Software-Defined Radio (SDR) has historically not been that accessible to most people due to the cost of the equipment involved. That has changed in the past decade, though, with the introduction of RTL-SDR. Bishop Fox Security Consultant Kelly Albrink covers everything you need to know to get involved with the SDR community – and to begin reverse-engineering radio signals to do all kinds of cool stuff (e.g., talk to a satellite in deep space).
We’d like to acknowledge that these are only a sample of the fantastic talks security researchers presented this past year. If your favorite didn’t make the list, share it with us on Twitter (@bishopfox)!