Presentations

4th party collections of Close Access Operations… and more

David Maynor

Here’s how David describes his presentation:

“My whole career I have been fascinated with proximity based attacks with vectors like WiFi or Bluetooth. In recent years companies and entrepreneurs have started selling hardware best used for operations to gain access to things close by. I’m in heaven for commercially available professional grade implants and other tools that require physical access. Come learn the lessons I did and what gaps exist as well.”

Mobile SIMulator

A tale of bots, fraud, 347,200 unused SIM cards and 474 iPhones

Sophia d’Antoine and Ian Roos

SIM Cards are clunky and take a while to swap out. That’s really frustrating, why don’t we build an array of activated SIM cards and a hardware device to swap the phone over to a new card quickly and easily. Kinda like a KVM but for SIM cards? Wow what a great idea – oh shoot it’s a fuzzer too? Could someone use this to build better SIM card malware? SIM Cards are a historically overlooked piece of equipment that have been unappreciated by mobile phone assailants for far too long. In this talk we explore SIM cards as an attack vector, delve into the quiet history of SIM exploitation, and take a look at future techniques for attacking this tragically forgotten piece of equipment.

Unmasking the Avengers

Elizabeth Wharton and Suchi Pahi

No longer solely for use by protestors or comic book characters, facial recognition algorithms are racing to adjust for the increased use of facial masks in public. Caught up between protests and COVID are cellular data and biometric data sets, shared with and utilized by law enforcement in often unintended ways. A growing number of public/private partnerships are providing law enforcement access to large data pools. Information that in some cases is incorrect. Your voice may be your password, but what happens when it’s your face and there’s a data breach or the data is wrong. We’ll take a deeper dive into how privately collected location sharing and facial recognition data is being increasingly leveraged by government and law enforcement.

Exploiting Sexual Exploitation: How to punch abusers in the virtual face

The LaBac Collective

Online sexual harassment is one of the most overlooked crimes on both the interwebs and irl. Victims need help, and way fewer resources exist to support them. From cyberstalking cases, to revenge porn posts to deepnude takedowns, LaBac helps victims of abuse defend and prevent targeted attacks.

This talk details our crew’s efforts to flip the table against online abusers. We will outline various tactics used against historical targets, such as technical attacks and policy exploits. We’ll also discuss how you can help punch these abusers in the virtual face.

Back to the Backdoor Factory

Benjamin Kurtz

The Backdoor Factory was a classic tool that injected shellcode into downloaded binaries from a man-in-the-middle attack. We’ve spent a year completely rewriting this in Go as a set of binary modification libraries that you can use in your own code! Join us as we take a tour of the new Backdoor Factory and its expanded capabilities.

Code:

• https://github.com/Binject/backdoorfactory
• https://github.com/Binject/debug
• https://github.com/Binject/binjection

Blog:

• https://www.symbolcrash.com/2020/05/17/back-to-the-backdoor-factory/

Wassenaar You Serious? A Fireside Chat About Exploit Regulation

Katie Moussouris with Ryan Naraine

Join Katie Moussouris and Ryan Naraine for a fireside chat about export controls rearing their ugly heads yet again. We’ll discuss a real-life scenario in which Katie nearly found herself facilitating an illegal international cyber arms deal or three in the Middle East, and how security researchers and even defense-oriented companies can find themselves in hot water when it comes to export control of cyber weapons.

Compendium of Container Escapes

Brandon Edwards and Nick Freeman

Containers are a hot topic, and there’s lots of technical nuance around their operation. In this presentation we will cover vectors and themes for container escapes, from incorrect engine operation, to misconfiguration, to good ol’ fashioned kernel exploitation. So if you’ve ever browsed syzbot output and thought “gee, this one looks easy to trigger, could I get out of a container with it?” (the answer is probably yes), tune in to our talk!

Pwnies Nominations

Justine Bone

It’s the most important award bestowed by the information security community. When you’ve won a Pwnie, you’ll know you’ve earned it, because your peers, the people who really know infosec, fellow leaders and winners of this prestigious award, chose you.

Let’s kick off the summer security season by opening the Pwnies nominations!