Episode #255

Thoughts on Hacker Summer Camp 2024

This week on Absolute AppSec Episode #255 (0xFF), after some time away in the desert heat of Las Vegas attending Blackhat, BSidesLV, Diana Initiative and DEF CON, Ken (@cktricky) and Seth (@sethlaw) are back to dive into the highlights of these recent cybersecurity conferences. The highlight of the week was a podcast event, where listeners, hosts, and guests met up to ride the High Roller. Full Episode Video at: https://youtube.com/live/ViZU2k8w_wI 

The week started for Seth at Diana Initiative, where he was impressed with the quality of the talks in an intimate format from organizers that promote underrepresented groups. This was followed by BSidesLV, running as an alternate to the more corporate events at BlackHat. Presentations and workshops were the name of the game and the highlight for Seth was a talk by Mike Larkin of DeepFactor that dove into exploration of application behaviors when running in an operating system. (Do you know just how many files are invoked when running a simple bash shell script to echo “hello” to the console? More than you think).

On the corporate side, Blackhat is known for its focus on cutting-edge research, business development, and networking opportunities. This year, it upheld its reputation as a hub for innovation and engagement for large corporations and well-funded startups alike. The conference floor was filled with elaborate boots from industry giants like Google, Microsoft, and Crowdstrike (thoughts and feeling here, but moving on). While the business side of Blackhat is prominent, the conference remains deeply rooted in technical research, which this year focused on the latest threats and defenses in cybersecurity, including advanced persistent threats (APTs), zero-day vulnerabilities, and novel attack vectors. This year, Ken’s company, Dry Run Security, was one of the finalists in the Blackhat Startup Spotlight competition.

After the corporate-focused environment of Blackhat, DEF CON brings a more community-driven atmosphere of collaboration, learning, and sharing within the hacker community. One of the strengths of this year’s DEF CON was the community-driven content and the informal networking opportunities that provided pathways to connecting with like-minded individuals.

The AppSec Village at DEF CON was a standout feature of this year’s conference, offering a wide variety of talks and hands-on experiences in key areas of application security. The highlights of the AppSec village include talks on bug bounty methodologies and ethical considerations, PortSwigger’s presentations on abusing web caches and email regular expressions were standouts for improving web application security testing using Burp Suite, Tanya Janca’s talk on secure software development, and the relevance of social engineering tactics within application security. A common theme across all the conferences were novel uses of generative AI tools to enhance security assessments.

Overall, Hacker Summer Camp was filled with heat, inspiration, and friends. Be sure to catch this episode on your preferred platform. If you attended, jump into Slack and share your thoughts. For podcast branded t-shirts, hats, mugs, and more, check out the new shop at merch.absoluteappsec.com. Finally, we would be remiss not to mention that we will be in Melbourne, Australia September 10-11 to run a session of Practical Secure Code Review (with AI). Join us if you can, registration available training.absoluteappsec.com.

This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security. By Coders," which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.

Stay Secure,

Seth & Ken

https://youtu.be/wSEZSP3WT6w - Episode #154 - Conferences, Cloud Security, Software Supply Chain

https://youtu.be/b5IVhnboDIY - Episode #147 w/ James Kettle - Security Research, HTTP Request Smuggling

https://youtube.com/live/mzS79dUiYno - Episode #206 - RSA, Artificial Intelligence, Spidering Tools

Absolute AppSec Happenings

https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser - Novel research presented during BSidesLV on utilizing the IPv4 wildcard 0.0.0.0 to bypass browser restrictions and access locally running processes.

https://www.reviewjournal.com/business/tourism/invasion-of-privacy-hotel-room-inspections-confuse-hacker-convention-attendees-3121350/ - As discussed on the podcast, Resorts World (aka Hilton) decided they had to inspect hotel rooms for possible hacking devices.

https://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/ - Interesting analysis by Troy Hunt on the “3 billion people” data breach. A lot of smoke & mirrors and misrepresented data, even if some of it is correct.